awvvt.dll infected --- unable to remove

E

erice

New member
Hi,

awvvt.dll got infected with Trojan Horse virus. I have attempted to remove the DLL with VundoFix but removal failed. Here is the VundoFix log:



VundoFix V6.3.21

Checking Java version...

Scan started at 11:29:26 PM 5/4/2007

Listing files found while scanning....

C:\WINNT\system32\awturrp.dll
C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\qlvnxaym.dll
C:\WINNT\system32\rqrollk.dll
C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\rqrollk.dll
C:\WINNT\system32\rqrollk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!


Another attempt at removal failed after reboot.


Please help!!!
 
Hi,

Here is what I have done:

1. Results of eTrust Antivirus Web Scanner:


Scan Results: 118303 files scanned. 10 viruses were detected.

File Infection Status Path

wr-1-2000219.exe Win32/Matcash.W
deleted C:\Documents and Settings\Eric\Local Settings\Temp\

netmon.exe Win32/NetMon.A
cannot delete C:\Program Files\Network Monitor\

Click Here.exe Win32/Luder.AG
deleted C:\Program Files\Qualcomm\Eudora\Embedded\

Read More.exe Win32/Luder.AG
deleted C:\Program Files\Qualcomm\Eudora\Embedded\

Read More1.exe Win32/Luder.AG
deleted C:\Program Files\Qualcomm\Eudora\Embedded\

With Love.exe Win32/Luder.AF
deleted C:\Program Files\Qualcomm\Eudora\Embedded\

awvvt.dll.bad Win32/Vundo!generic
infected C:\VundoFix Backups\

rqrollk.dll.bad Win32/Chisyne!generic
infected C:\VundoFix Backups\

retadpu2000219.exe.tmp Win32/Matcash.U
deleted C:\WINNT\

awvvt.dll Win32/Vundo!generic
cannot delete C:\WINNT\system32\


2. Results of running Spybot-S&D:


I reboted and re-run Spybot-S&D several times but it was not able to remove Smitfraud-C.Toolbar888 in C:\WINNT\system32\awvvt.dll

3. HiJackThis log

I tried several times running HiJackThis. Scan would complete, but every time I would press "Save Log", HiJackThis just terminates without generating a log.

Thank you for your help.
 
I have rerun HijackThis and instead of selecting "None of the above...", selected "Do a system scan and save a logfile". The program crashed with and error log

Here is the error log generated:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:23 AM, on 5/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINNT\system32\?racle\?ti2evxx.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\TEXTPA~1\TextPad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
M:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINNT\system32\oobadhjs.dll",realset
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - HKCU\..\Run: [Hela] "C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Sgjec] "C:\Documents and Settings\Eric\My Documents\?icrosoft\d?dplay.exe"
O4 - HKCU\..\Run: [Ctrzan] C:\WINNT\system32\?racle\?ti2evxx.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
 
Hi erice

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)
 
Hi Shaba,

Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:58:54 PM, on 5/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\?racle\?ti2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43EBA266-14F6-3C76-F24F-6CE33BE3F9BB} - C:\WINNT\system32\zqkv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {62234B8E-E8AA-4472-8EBD-87507BEC052D} - C:\WINNT\system32\awvvt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\system32\wmjdfhsb.dll
O2 - BHO: (no name) - {FDE2C2F4-1C2A-4379-9CFA-22AD886539A0} - C:\WINNT\system32\xwswmhos.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\mqwopmyr.dll",realset
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - HKCU\..\Run: [Hela] "C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Sgjec] "C:\Documents and Settings\Eric\My Documents\?icrosoft\d?dplay.exe"
O4 - HKCU\..\Run: [Ctrzan] C:\WINNT\system32\?racle\?ti2evxx.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: awturrp - awturrp.dll (file missing)
O20 - Winlogon Notify: awvvt - C:\WINNT\system32\awvvt.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe



Thank you.
 
Hi

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 
Hi Shaba,

Here are the logs:

VundoFix V6.3.21

Checking Java version...

Scan started at 11:29:26 PM 5/4/2007

Listing files found while scanning....

C:\WINNT\system32\awturrp.dll
C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\qlvnxaym.dll
C:\WINNT\system32\rqrollk.dll
C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\rqrollk.dll
C:\WINNT\system32\rqrollk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Scan started at 9:02:01 PM 5/15/2007

Listing files found while scanning....

C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\fqgxgjmk.dll
C:\WINNT\system32\htmgqhux.dll
C:\WINNT\system32\qeqyrhul.dll
C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini2
C:\WINNT\system32\tvvwa.tmp

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\fqgxgjmk.dll
C:\WINNT\system32\fqgxgjmk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\htmgqhux.dll
C:\WINNT\system32\htmgqhux.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qeqyrhul.dll
C:\WINNT\system32\qeqyrhul.dll Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.ini2
C:\WINNT\system32\tvvwa.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.tmp
C:\WINNT\system32\tvvwa.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.ini2
C:\WINNT\system32\tvvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 9:23:01 PM, on 5/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINNT\system32\?racle\?ti2evxx.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43EBA266-14F6-3C76-F24F-6CE33BE3F9BB} - C:\WINNT\system32\zqkv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {CF1C3792-4887-43DD-B2E2-203E5CA71E18} - C:\WINNT\system32\awvvt.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\system32\wmjdfhsb.dll
O2 - BHO: (no name) - {FDE2C2F4-1C2A-4379-9CFA-22AD886539A0} - C:\WINNT\system32\xwswmhos.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\mqwopmyr.dll",realset
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - HKCU\..\Run: [Hela] "C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Sgjec] "C:\Documents and Settings\Eric\My Documents\?icrosoft\d?dplay.exe"
O4 - HKCU\..\Run: [Ctrzan] C:\WINNT\system32\?racle\?ti2evxx.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: awturrp - awturrp.dll (file missing)
O20 - Winlogon Notify: awvvt - C:\WINNT\system32\awvvt.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
 
Hi

1. Download this file - combofix.exe
and save it to your desktop.

2. Go to start -> run.
type this in box and click ok

"%userprofile%\desktop\ComboFix.exe" /v awvvt wmjdfhsb xwswmhos mqwopmyr

3. When finished, it shall produce a log for you. Post that log in your next reply

4. Reboot

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
 
Hi,

Here are the logs:


ComboFix

"Eric" - 05/16/2007 20:50:01 Service Pack 4
ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\Eric\Desktop\"
Command switches used :: "/v awvvt wmjdfhsb xwswmhos mqwopmyr"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\wmjdfhsb.dll
C:\WINNT\system32\xwswmhos.dll
C:\WINNT\system32\mqwopmyr.dll
C:\WINNT\system32\dlpksvoo.dll
C:\WINNT\system32\gyduuedt.dll
C:\WINNT\system32\whxtondd.dll
C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\rympowqm.ini
C:\WINNT\system32\awvvt.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\retadpu.exe
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\outerinfo\Terms.rtf
C:\WINNT\b122.exe
C:\Program Files\ipwindows
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Eric
C:\qoobox\purity\C\DOCUME~1\Eric\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\Eric\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Eric\APPLIC~1\DOBE~1
C:\qoobox\purity\C\DOCUME~1\Eric\MYDOCU~1\ICROSO~1
C:\qoobox\purity\C\DOCUME~1\Eric\MYDOCU~1\SSTEM3~1
C:\qoobox\purity\C\WINNT\system32\RACLE~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))


2007-05-16 21:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_858.dat
2007-05-10 00:33 60,928 --a------ C:\WINNT\system32\zqkv.dll
2007-05-10 00:33 <DIR> d-------- C:\Program Files\àdobe
2007-05-05 11:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-04 23:29 <DIR> d-------- C:\VundoFix Backups
2007-05-04 20:35 <DIR> d-------- C:\DOCUME~1\db2admin\APPLIC~1\Google
2007-04-30 13:21 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Google
2007-04-28 11:09 <DIR> d--hs---- C:\WINNT\V29ybGRpbnN1cmU
2007-04-26 10:36 2 --a------ C:\WINNT\system32\wcpisu32.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-10 04:33:22 -------- d-----w C:\Program Files\?dobe
2007-03-23 04:15:58 -------- d-----w C:\Program Files\iPod
2007-03-23 04:13:43 -------- d-----w C:\Program Files\QuickTime
2007-03-23 04:10:46 -------- d-----w C:\Program Files\Apple Software Update
2007-03-13 09:44:49 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL
2007-03-06 11:17:48 381,200 ----a-w C:\WINNT\system32\USER32.DLL
2007-03-06 11:17:46 38,160 ----a-w C:\WINNT\system32\mf3216.dll
2007-03-06 11:17:46 235,280 ----a-w C:\WINNT\system32\GDI32.DLL
2007-03-06 06:12:21 1,641,936 ----a-w C:\WINNT\system32\WIN32K.SYS


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [03-11-03 14:17 ]
{43EBA266-14F6-3C76-F24F-6CE33BE3F9BB}=C:\WINNT\system32\zqkv.dll [07-03-19 14:30 ]
{53707962-6F74-2D53-2644-206D7942484F}=e:\Program Files\Spybot - Search & Destroy\SDHelper.dll [05-05-31 01:04 ]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINNT\system32\dla\tfswshx.dll [03-08-06 01:04 ]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [07-01-20 00:55 ]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\system32\mobsync.exe]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [01-10-12 21:34 ]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [01-10-12 21:27 ]
"vptray"="C:\Program Files\NavNT\vptray.exe" [00-12-22 07:51 ]
"NuTCSetupEnviron"="C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe" [01-01-02 18:25 ]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [03-04-09 15:08 ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [03-08-19 01:01 ]
"dla"="C:\WINNT\system32\dla\tfswctrl.exe" [03-08-06 01:04 ]
"PinnacleDriverCheck"="C:\WINNT\system32\PSDrvCheck.exe" [04-03-10 16:26 ]
"QBCD Autorun"="F:\autorun.exe" []
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 12:50 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-02-16 11:54 ]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [07-03-14 20:05 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RHSI SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [07-04-25 10:46 ]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [07-04-25 10:46 ]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [07-04-25 10:46 ]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [05-02-25 20:28 ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [07-01-25 23:02 ]
"RogersAgent"="c:\program files\Rogers\SelfHealing\RogersAgent.exe" []
"Hela"="C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe" []
"Sgjec"="C:\Documents and Settings\Eric\My Documents\?icrosoft\d?dplay.exe" []
"Ctrzan"="C:\WINNT\system32\?racle\?ti2evxx.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [01-04-12 18:05 ]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awturrp]
awturrp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rpcss RpcSs
wugroup wuauserv
BITSgroup BITS

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*newlycreated* -IPNAT

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 21:02:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-16 21:09:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-16 21:09


--- E O F ---


HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:27 PM, on 5/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\WINNT\explorer.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\notepad.exe
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43EBA266-14F6-3C76-F24F-6CE33BE3F9BB} - C:\WINNT\system32\zqkv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - HKCU\..\Run: [Hela] "C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Sgjec] "C:\Documents and Settings\Eric\My Documents\?icrosoft\d?dplay.exe"
O4 - HKCU\..\Run: [Ctrzan] C:\WINNT\system32\?racle\?ti2evxx.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: awturrp - awturrp.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {43EBA266-14F6-3C76-F24F-6CE33BE3F9BB} - C:\WINNT\system32\zqkv.dll
O4 - HKCU\..\Run: [Hela] "C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Sgjec] "C:\Documents and Settings\Eric\My Documents\?icrosoft\d?dplay.exe"
O4 - HKCU\..\Run: [Ctrzan] C:\WINNT\system32\?racle\?ti2evxx.exe
O20 - Winlogon Notify: awturrp - awturrp.dll (file missing)

Close all windows including browser and press fix checked

Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Boot in safe mode -> http://www.pchell.com/support/safemode.shtml

Delete if present:

C:\Program Files\àdobe
C:\WINNT\V29ybGRpbnN1cmU
C:\WINNT\system32\wcpisu32.exe

Empty Recycle Bin

Reboot

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report
 
Hi,

Here are the new logs:


ComboFix

Please see the attachement

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 9:10:46 PM, on 5/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
 
Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report
 
Hi,

It took a while for kaspersky scan to complete. Here are the logs:

HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 8:40:43 AM, on 5/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe



kaspersky report
Please see the attachment
 
Hi

I can believe that :)

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\
C:\Documents and Settings\Eric\.jpi_cache\jar\1.0
C:\QooBox\Quarantine

Delete these:

C:\Program Files\Qualcomm\Eudora\Embedded\burdock.gif
C:\Program Files\Qualcomm\Eudora\Embedded\cackle.gif
C:\WINNT\b104.exe
C:\WINNT\b116.exe
C:\WINNT\b129.exe
C:\WINNT\Downloaded Program Files\UWAS6_0001_N69M0903NetInstaller.exe
E:\backup\netmon.bad.exe
E:\backup\ServerBackup\DOCS\Eudora\movies1.zip
E:\backup\ServerBackup\DOCS\Eudora\videos.zip
E:\backup\ServerBackup\DOCS\Eudora\videos1.zip
E:\backup\ServerBackup\DOCS\Eudora\videos2.zip
E:\backup\ServerBackup\DOCS\Eudora\xxx_movies.zip
E:\backup\ServerBackup\DOCS\Eudora\xxx_movies1.zip
E:\backup\ServerBackup\DOCS\Eudora\xxx_movies2.zip
E:\backup\ServerBackup\DOCS\Eudora\zhang_peter.doc
E:\backup\ServerBackup\Qualcomm\Eudora Mail\Archives.fol\NewsGrou.fol\FromAdsOlder.mbx
E:\backup\ServerBackup\Qualcomm\Eudora Mail\Resumes.fol\AddsMisc.fol\TorStarA.mbx
E:\backup\ServerBackup\Qualcomm\Eudora Mail\Resumes.fol\MiscBySu.fol\Business.mbx
E:\backup\ServerBackup\Qualcomm\Eudora Mail\Resumes.fol\TorJobsNewsGroupsJuly00.mbx
E:\docs\Eudora\movies1.zip/1714.exe Infected: not-a-virus:Porn-Dialer.Win32.RTSMini skipped
E:\docs\Eudora\movies1.zip
E:\docs\Eudora\videos.zip
E:\docs\Eudora\videos1.zip
E:\docs\Eudora\videos2.zip
E:\docs\Eudora\xxx_movies.zip
E:\docs\Eudora\xxx_movies1.zip
E:\docs\Eudora\xxx_movies2.zip
M:\backup\netmon.bad.exe
M:\backup\ServerBackup\DOCS\Backup\DellBackupAug99\EudoraBackupNov4-99\Eudora Mail\Resumes.fol\AddsMisc.fol\TorStarA.mbx
M:\backup\ServerBackup\DOCS\Backup\EudoraBackupJuly20-00\Resumes.fol\MiscBySu.fol\Business.mbx
M:\backup\ServerBackup\DOCS\Backup\EudoraBackupJuly4-01\Resumes.fol\AddsMisc.fol\TorStarA.mbx
M:\backup\ServerBackup\DOCS\Backup\EudoraBackupJuly4-01\Resumes.fol\MiscBySu.fol\Business.mbx
M:\backup\ServerBackup\DOCS\Backup\EudoraBackupJuly4-01\Resumes.fol\TorJobsNewsGroupsJuly00.mbx
M:\backup\ServerBackup\DOCS\Eudora\CV - Aditya Pendse.doc
M:\backup\ServerBackup\DOCS\Eudora\movies1.zip
M:\backup\ServerBackup\DOCS\Eudora\videos.zip
M:\backup\ServerBackup\DOCS\Eudora\videos1.zip
M:\backup\ServerBackup\DOCS\Eudora\videos2.zip
M:\backup\ServerBackup\DOCS\Eudora\xxx_movies.zip
M:\backup\ServerBackup\DOCS\Eudora\xxx_movies1.zip
M:\backup\ServerBackup\DOCS\Eudora\xxx_movies2.zip
M:\backup\ServerBackup\DOCS\Eudora\zhang_peter.doc
M:\backup\ServerBackup\Qualcomm\Eudora Mail\Archives.fol\NewsGrou.fol\FromAdsOlder.mbx
M:\backup\ServerBackup\Qualcomm\Eudora Mail\Resumes.fol\AddsMisc.fol\TorStarA.mbx
M:\backup\ServerBackup\Qualcomm\Eudora Mail\Resumes.fol\MiscBySu.fol\Business.mbx
M:\backup\ServerBackup\Qualcomm\Eudora Mail\Resumes.fol\TorJobsNewsGroupsJuly00.mbx
M:\docs\Eudora\movies1.zip
M:\docs\Eudora\videos.zip
M:\docs\Eudora\videos1.zip
M:\docs\Eudora\videos2.zip
M:\docs\Eudora\xxx_movies.zip
M:\docs\Eudora\xxx_movies2.zip

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
Hi,

Here are the logs:

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 3:36:02 PM, on 5/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe



KASPERSKY SCANNER REPORT

Please see the attachment
 
Hi

Much improved but some left.

Empty Deleted items in Outlook

Empty this folder:

C:\QooBox\Quarantine

Delete these:

C:\Program Files\Qualcomm\Eudora Mail New\Archives.fol\NewsGrou.fol\FromAds.mbx
C:\Program Files\Qualcomm\Eudora Mail New\Resumes.fol\AddsMisc.fol\TorStarA.mbx
C:\Program Files\Qualcomm\Eudora Mail New\Resumes.fol\MiscBySu.fol\Business.mbx
E:\backup\ServerBackup\DOCS\Backup\DellBackupAug99\EudoraBackupNov4-99\Eudora Mail\Resumes.fol\MiscBySu.fol\Business.mbx

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
Hi,

We are definetly getting there, but seems that there is still some infection.
Here are the logs:

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 8:18:17 PM, on 5/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe



KASPERSKY REPORT
please see the attachment
 
Hi

Delete these:

C:\Program Files\Qualcomm\Eudora Mail New\Archives.fol\NewsGrou.fol\FromAdsOlder.mbx
C:\Program Files\Qualcomm\Eudora Mail New\Resumes.fol\TorJobsNewsGroupsJuly00.mbx
E:\backup\ServerBackup\DOCS\Eudora\CV - Aditya Pendse.doc
E:\Downloads\HijackThis\backups\backup-20070517-194912-298.dll

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
Hi

Thank you very much for your help.

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:32 AM, on 5/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe




Kaperksy

Please see the attachment.


What steps (specific to Win 2000) should I follow to prevent future infections? What virus scanner do you recommend?

Thanks again.
 
You must log in or register to reply here.
Back
Top