Abetear.A Virus and Trojans

H

headmotty

New member
Hi,

My virus software (avast) has been catching a lot of trojans trying to enter my system the last few days. It tells me that it's catching malware with names like this: Win32:Agent-HKJ, Win32:Downloader-FY, Win32:Spyware-gen, Win32:Adware-gen, Win32:Agent-FDG. I've also been getting alot of popups the last few days. Spybot reports the following problems: ErrorProtector, ErrorSafe, SystemDoctor2006, Virtuemonde, and Winsoftware. Smitfraud-C.Toolbar888 was there yesterday, but after fixing, it no longer is reported. So I fixed all of these in Spybot, but they are back, except for Smitfraud. I guess my browser is being hijacked to these malware sites.

Can I ask for help in getting this out of my system, please?


I did the eTrust online virus scan, here is what it reported:

File Infection Status Path
iskhesim.exe Win32/Abetear.A cannot cure C:\WINNT\SYSTEM32\
nccppdsc.exe Win32/Abetear.A cannot cure C:\WINNT\SYSTEM32\

Will just using the DELETE option on the eTrust site solve my problem, or is it more involved?

I went ahead and ran HJT. Strange, though...When I click the SAVE LOG button after the scan, there is nothing to tell me where the log was saved, and I don't see it anywhere, so I used the DO A SYSTEM SCAN AND SAVE A LOGFILE button. At the end of the scan, I get AN ERROR HAS OCCURRED - THE PROGRAM WILL BE CLOSED message, but the logfile is saved. So here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 17:31:17, on 2007/07/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\frxhser.exe
C:\WINNT\system32\frxhapp.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\imejpmgr.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINNT\MXOALDR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINNT\system32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John Mottershead\デスクトップ\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1041,ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINNT\system32\dkxcrjwk.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINNT\System32\frxhser.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

I hope this allows you to get started. Thanks in advance for your help.
 
Hi

Rename HijackThis.exe file -> scanner.exe and post a fresh hjt log.
 
Thanks, Blade, for helping me out. Here's the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:35:59, on 2007/07/05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\frxhser.exe
C:\WINNT\system32\frxhapp.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\imejpmgr.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINNT\MXOALDR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\TOSHIBA\MobilePhoneConnectivity\My Mobile\SyncML Desktop Server\SyncMLDesktopServer.exe
C:\Program Files\TOSHIBA\MobilePhoneConnectivity\My Mobile\SyncML Desktop Server\SyncController.exe
C:\Program Files\TOSHIBA\MobilePhoneConnectivity\My Mobile\Phone Monitor\epmworker.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John Mottershead\デスクトップ\scanner.exe.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IDN Helper Object - {118CE65F-5D86-4AEA-A9BD-94F92B89119F} - C:\WINNT\DOWNLO~1\CNSMIN~1.DLL
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINNT\system32\ebwthkgw.dll
O2 - BHO: (no name) - {43CBE820-B564-4B5A-BD5E-F365C19E445C} - C:\WINNT\system32\rqrrpom.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6351C3FC-D26A-45C3-815C-55CCD0AF79D5} - C:\WINNT\system32\vtstt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1041,ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINNT\system32\lytnvnjd.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: rqrrpom - C:\WINNT\SYSTEM32\rqrrpom.dll
O20 - Winlogon Notify: vtstt - C:\WINNT\system32\vtstt.dll
O20 - Winlogon Notify: winbug32 - C:\WINNT\SYSTEM32\winbug32.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINNT\System32\frxhser.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
 
Hi

1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply together with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
 
combofix log:

"John Mottershead" - 2007-07-06 11:01:04 - ComboFix 07-07-04.4 - Service Pack 4


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\cmgbbduh.dll
C:\WINNT\system32\dkxcrjwk.dll
C:\WINNT\system32\ebwthkgw.dll
C:\WINNT\system32\lytnvnjd.dll
C:\WINNT\system32\ddcdecy.dll
C:\WINNT\system32\tuvtroo.dll
C:\WINNT\system32\tuvvuvt.dll
C:\WINNT\system32\xxyayax.dll
C:\WINNT\system32\winbug32.dll
C:\WINNT\SYSTEM32\kwjrcxkd.ini
C:\WINNT\SYSTEM32\djnvntyl.ini
C:\WINNT\SYSTEM32\ttstv.bak1
C:\WINNT\SYSTEM32\ttstv.bak2
C:\WINNT\SYSTEM32\ttstv.ini
C:\WINNT\system32\vtstt.dll
C:\WINNT\system32\rqrrpom.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\cnsinfo.dat
C:\WINNT\DOWNLO~1.\Temp
C:\WINNT\DOWNLO~1\CnsMinCg.ini
C:\WINNT\DOWNLO~1\CnsMinIdn.cab
C:\WINNT\DOWNLO~1\CnsMinIdn.dll
C:\WINNT\DOWNLO~1\CnsUp.ini
C:\WINNT\system32\iskhesim.exe
C:\WINNT\system32\nccppdsc.exe


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-06 11:04 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_214.dat
2007-07-06 10:52 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-05 13:23 4,672 --a------ C:\WINNT\SYSTEM32\tluglbnu.exe
2007-07-05 13:14 4,672 --a------ C:\WINNT\SYSTEM32\rpqqggnp.exe
2007-07-04 15:01 106 --a------ C:\delete.bat
2007-07-04 13:20 4,672 --a------ C:\WINNT\SYSTEM32\hbxjivxt.exe
2007-07-04 13:17 4,672 --a------ C:\WINNT\SYSTEM32\kwrreorw.exe
2007-07-03 15:01 <DIR> d-a------ C:\WINNT\SYSTEM32\Windows Media
2007-07-03 15:00 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2007-07-03 14:58 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-JPN$
2007-07-03 14:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-03 13:14 4,672 --a------ C:\WINNT\SYSTEM32\paxuhwdx.exe
2007-07-02 13:17 4,672 --a------ C:\WINNT\SYSTEM32\wnoubqud.exe
2007-06-20 13:18 7,536 --a------ C:\WINNT\loadqm.exe
2007-06-20 13:18 48,224 --a------ C:\WINNT\SYSTEM32\progdl.dll
2007-06-20 13:18 <DIR> d-------- C:\Program Files\Microsoft Money 2006
2007-06-17 13:32 <DIR> d-------- C:\WINNT\winsxs
2007-06-10 00:14 <DIR> d-------- C:\MaHa
2007-06-07 10:00 <DIR> d-a------ C:\WINNT\SYSTEM32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 16:10:03 -------- d-----w C:\DOCUME~1\JOHNMO~1\APPLIC~1\uTorrent
2007-06-30 14:09:06 44,616 ----a-w C:\DOCUME~1\JOHNMO~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-04 06:46:39 3,082 ----a-w C:\WINNT\system32\affv9869p2now.sys
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AVASTSS.scr
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-16 13:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-16 13:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-16 13:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-16 13:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-16 13:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-16 13:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-16 13:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-16 13:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:45 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-13 11:49:00 0 ----a-w C:\svcipa.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
06-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 04:05 C:\WINNT\SYSTEM32\mobsync.exe]
"frxmxins"="frxmxins" []
"POINTER"="point32.exe" []
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [05-09-24 17:20 ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [05-09-24 17:20 ]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [04-12-22 08:21 ]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [04-07-30 15:47 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-05-01 00:42 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [06-01-12 15:40 ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-05-11 03:06 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-21 02:09 C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Internat.exe"=internat.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 11:05:22
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 11:06:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-06 11:06

--- E O F ---





and the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 11:16:25, on 2007/07/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\frxhser.exe
C:\WINNT\system32\frxhapp.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\conime.exe
C:\WINNT\system32\imejpmgr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\TOSHIBA\MobilePhoneConnectivity\My Mobile\SyncML Desktop Server\SyncMLDesktopServer.exe
C:\Program Files\TOSHIBA\MobilePhoneConnectivity\My Mobile\SyncML Desktop Server\SyncController.exe
C:\Program Files\TOSHIBA\MobilePhoneConnectivity\My Mobile\Phone Monitor\epmworker.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John Mottershead\デスクトップ\scanner.exe.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1041,ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINNT\System32\frxhser.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
 
Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINNT\SYSTEM32\tluglbnu.exe
C:\WINNT\SYSTEM32\rpqqggnp.exe
C:\WINNT\SYSTEM32\hbxjivxt.exe
C:\WINNT\SYSTEM32\kwrreorw.exe
C:\WINNT\SYSTEM32\paxuhwdx.exe
C:\WINNT\SYSTEM32\wnoubqud.exe
C:\svcipa.exe


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
 
OK, here is the fresh combofix log:


"John Mottershead" - 2007/07/06 20:51:22 - ComboFix 07-07-04.4 - Service Pack 4
Command switches used :: C:\Documents and Settings\John Mottershead\デスクトップ\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\svcipa.exe
C:\WINNT\SYSTEM32\hbxjivxt.exe
C:\WINNT\SYSTEM32\kwrreorw.exe
C:\WINNT\SYSTEM32\paxuhwdx.exe
C:\WINNT\SYSTEM32\rpqqggnp.exe
C:\WINNT\SYSTEM32\tluglbnu.exe
C:\WINNT\SYSTEM32\wnoubqud.exe


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-06 11:06 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_5c4.dat
2007-07-06 11:04 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_214.dat
2007-07-06 10:52 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-04 15:01 106 --a------ C:\delete.bat
2007-07-03 15:01 <DIR> d-a------ C:\WINNT\SYSTEM32\Windows Media
2007-07-03 15:00 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2007-07-03 14:58 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-JPN$
2007-07-03 14:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-20 13:18 7,536 --a------ C:\WINNT\loadqm.exe
2007-06-20 13:18 48,224 --a------ C:\WINNT\SYSTEM32\progdl.dll
2007-06-20 13:18 <DIR> d-------- C:\Program Files\Microsoft Money 2006
2007-06-17 13:32 <DIR> d-------- C:\WINNT\winsxs
2007-06-10 00:14 <DIR> d-------- C:\MaHa
2007-06-07 10:00 <DIR> d-a------ C:\WINNT\SYSTEM32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 16:10:03 -------- d-----w C:\DOCUME~1\JOHNMO~1\APPLIC~1\uTorrent
2007-06-30 14:09:06 44,616 ----a-w C:\DOCUME~1\JOHNMO~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-04 06:46:39 3,082 ----a-w C:\WINNT\system32\affv9869p2now.sys
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AVASTSS.scr
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-16 13:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-16 13:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-16 13:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-16 13:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-16 13:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-16 13:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-16 13:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-16 13:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:45 54,032 ----a-w C:\WINNT\system32\mpr.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
06/10/22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05/05/31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03/06/20 04:05 C:\WINNT\SYSTEM32\mobsync.exe]
"frxmxins"="frxmxins" []
"POINTER"="point32.exe" []
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [05/09/24 17:20 ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [05/09/24 17:20 ]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [04/12/22 08:21 ]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [04/07/30 15:47 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/05/01 00:42 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [06/01/12 15:40 ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07/05/11 03:06 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01/02/21 02:09 C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Internat.exe"=internat.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN

*Newly Created Service* - CATCHME
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 20:52:38
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

\ComboFix\sed.cfexe [1424] 0x84C37020


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007/07/06 20:53:17
C:\ComboFix-quarantined-files.txt ... 07/07/06 20:53
C:\ComboFix2.txt ... 07/07/06 11:06

--- E O F ---
 
Yes, sir. Here you are:


Logfile of HijackThis v1.99.1
Scan saved at 21:55:10, on 2007/07/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\frxhser.exe
C:\WINNT\system32\frxhapp.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\imejpmgr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINNT\system32\conime.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\John Mottershead\デスクトップ\scanner.exe.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1041,ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINNT\System32\frxhser.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
 
Hi

Looking good. :) Better do after scan with Kaspersky Web scanner.

Please do an online scan with
Kaspersky
WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest
    definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise
      Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been
    infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
 
Here is the Kaspersky scan log:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, July 06, 2007 11:33:26 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/07/2007
Kaspersky Anti-Virus database records: 359000
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 85021
Number of viruses found: 5
Number of infected objects: 16 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:45:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\John Mottershead\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\John Mottershead\Local Settings\Application Data\ApplicationHistory\RetroExpress.exe.ef08464a.ini.inuse Object is locked skipped
C:\Documents and Settings\John Mottershead\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John Mottershead\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John Mottershead\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\John Mottershead\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John Mottershead\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\John Mottershead\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Nero\Nero 7\Nero.v7.7.5.1.Multilingual.Incl.Keymaker\Nero-7.7.5.1_all_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Nero\Nero 7\Nero.v7.7.5.1.Multilingual.Incl.Keymaker\Nero-7.7.5.1_all_trial.exe RAR: infected - 1 skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\ddcdecy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\hbxjivxt.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\iskhesim.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\kwrreorw.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\nccppdsc.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\paxuhwdx.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\rpqqggnp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\rqrrpom.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\tluglbnu.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\tuvtroo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\tuvvuvt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\winbug32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\wnoubqud.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\xxyayax.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\sti.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_214.dat Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_5c4.dat Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Hi

You can now delete ComboFix.exe file and C:\QooBox folder.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the allow paste operations via script to Disable
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Download Adaware
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    The program is available for download here
  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
  • Download iespyad
    It puts many bad webpages on your restricted zones list. This means that you can still view the
    bad
    webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
    If you need help understanding how it works, there is a tutorial here
    Download it here
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Stand up and be Counted.
NOW is the time you can start to hit back at the people who infected you.

Please take the time to go and complain - that forum has a topic for your infection which is Vundo please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.
Click to expand...

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Blade, a thousand thank yous to you. The anti-virus trojan alerts, popups, and browser crashes actually stopped after the first ComboFix scan, and nothing new yet.

Thanks also for all of the security setting tips you've given me. I'll definitely follow your recommendations to the T.

I'll see how the computer acts for a day or so and post back here with a final update for you.

Again, thanks so much! Is it possible for you to download beer?, 'cause I'd definitely like to email you one!

Cheers!
 
It's been a day and a half since completing the procedure you talked me through, and still no popups,browser crashes, etc. like I was having before. But, I just ran a SpyBot scan, and it's given me the longest list of problems that I think I've ever gotten, including new names that I'm pretty sure I've never gotten before. Should I be concerned about this? Is it OK to go ahead and "Fix selected problems" in SpyBot?
 
Hi

I have usually fixed all reported things. Of course we can check the report if you want to post it (if it doesn't fit into one post then use Manage Attachments function in Additional options part in Reply to Topic window).
 
I think I spoke too soon. After getting the right combination of virus/spyware scanners and firewall set up, it actually looks pretty good now - I think you can mark this case closed.

Thanks again for all your help, Blade!
 
You're welcome

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top