Help! Can't stop infections...

W

woodywoodtucker

New member
I've got a machine with the Windows 2000 Server OS on it. My users access it via a network share. Nobody (besides me) actually signs into the machine. For the past 3 weeks I've been getting pretty heavy and regular virus warnings and spyware infections.

I clean the machine regularly with both Norton AV and Spybot S&D, but the viruses and spyware are on this machine DAILY!

This is my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:36:31 PM, on 1/11/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\urdvxc.exe
C:\WINNT\system32\netcon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\update.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\PROGRA~1\COMMON~1\iqzw\iqzwm.exe
C:\WINNT\system32\PPATCH~1\wuaclt.exe
C:\PROGRA~1\COMMON~1\iqzw\iqzwa.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\FTP.EXE
C:\WINNT\System32\mdm.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CCF40B53-E2BE-971A-BB4F-ED6C546F0491} - C:\WINNT\system32\cbh.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [System Service] servicei.exe
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\fqswsmf.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\system32\logon.exe
O4 - HKLM\..\Run: [Microsoft] qtask.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\seqpxwox.dll",setvm
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\system32\firewall.exe
O4 - HKLM\..\RunServices: [System Service] servicei.exe
O4 - HKLM\..\RunServices: [Microsoft] qtask.exe
O4 - HKCU\..\Run: [Microsoft] qtask.exe
O4 - HKCU\..\Run: [iqzw] C:\PROGRA~1\COMMON~1\iqzw\iqzwm.exe
O4 - HKCU\..\Run: [Ebsm] "C:\WINNT\system32\PPATCH~1\wuaclt.exe" -vt yazb
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {1663ED61-23EB-11D2-B92F-008048FDD814} (MeadCo ScriptX) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {171F3010-C356-11D3-907B-00AA00443984} (strprint.trprints) - https://partnering.one.microsoft.com/mcp/certtools/MCPTranscriptPrint.CAB
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://www.meadroid.com/scriptx/beta/smsx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F60A13-71A8-4CD8-AC46-4DCF55DD587E}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\system32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINNT\system32\urdvxc.exe" /service (file missing)
O23 - Service: Network DDECON (NetDDC) - Unknown owner - C:\WINNT\system32\netcon.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\update.exe" /service (file missing)


and this is a log from pandasoftware.coms activescan:

Adware:Adware/Sqwire - Not disinfected - c:\progra~1\common~1\iqzw\iqzwm.exe
Adware:Adware/PurityScan - Not disinfected - C:\WINNT\system32\seqpxwox.dll
Adware:Adware/PurityScan - Not disinfected - C:\WINNT\system32\cbh.dll
Adware:Adware/Sqwire - Not disinfected - C:\PROGRA~1\COMMON~1\iqzw\iqzwd\iqzwc.dll
Adware:Adware/Sqwire - Not disinfected - C:\PROGRA~1\COMMON~1\iqzw\iqzwa.exe
Adware:adware/maxifiles - Not disinfected - c:\winnt\system32\svhost.exe
Potentially unwanted tool:application/mywebsearch - Not disinfected - hkey_current_user\software\ToolBar
Hacktool:HackTool/Samdump - Not disinfected - C:\WINNT\system32\wins\pwdump2.exe
Hacktool:HackTool/Samdump - Not disinfected - C:\WINNT\system32\wins\samdump.dll
Potentially unwanted tool:Application/KillApp.B - Not disinfected - C:\WINNT\system32\kill.exe
Hacktool:HackTool/Samdump - Not disinfected - C:\WINNT\system32\samdump.dll
Hacktool:HackTool/Samdump - Not disinfected - C:\WINNT\system32\pwdump2.exe
Virus:W32/Sdbot.ftp.worm - Disinfected - C:\WINNT\system32\i
Spyware:Spyware/Virtumonde - Not disinfected - C:\WINNT\system32\lcbljqna.dll
Spyware:Spyware/Virtumonde - Not disinfected - C:\WINNT\system32\gcppbeev.dll
Potentially unwanted tool:Application/Pskill.E - Not disinfected - C:\WINNT\system32\psk.exe
Potentially unwanted tool:Application/HideRun.A - Not disinfected - C:\WINNT\system32\Hiderun.exe
Adware:Adware/888Bar - Not disinfected - C:\WINNT\system32\mc-110-12-0000144.exe
Adware:Adware/Maxifiles - Not disinfected - C:\WINNT\system32\svchosts.exe_old
Adware:Adware/Maxifiles - Not disinfected - C:\WINNT\Temp\b122.exe[mc-0-0-0.exe]
Adware:Adware/Maxifiles - Not disinfected - C:\WINNT\Temp\b122.exe[mc-0-0-0.exe][ipwins.exe]
Adware:Adware/Maxifiles - Not disinfected - C:\WINNT\Temp\b122.exe[mc-0-0-0.exe][ipwins.dll]
Adware:Adware/ISearch - Not disinfected - C:\WINNT\Temp\b104.exe[MTE3MTk6ODoxNg.exe]
Adware:Adware/CommAd - Not disinfected - C:\WINNT\Temp\cmdinst.exe
Adware:Adware/CommAd - Not disinfected - C:\WINNT\UmljaGFyZCBZYXRlcw\asappsrv.dll
Adware:Adware/CommAd - Not disinfected - C:\WINNT\UmljaGFyZCBZYXRlcw\command.exe
Adware:Adware/CommAd - Not disinfected - C:\WINNT\UmljaGFyZCBZYXRlcw\oA53u3IVtF1tsrl5wT.vbs
Adware:Adware/Maxifiles - Not disinfected - C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHC9WPYT\122[1].net[mc-0-0-0.exe]
Adware:Adware/Maxifiles - Not disinfected - C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHC9WPYT\122[1].net[mc-0-0-0.exe][ipwins.exe]
Adware:Adware/Maxifiles - Not disinfected - C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHC9WPYT\122[1].net[mc-0-0-0.exe][ipwins.dll]
Adware:Adware/ISearch - Not disinfected - C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHC9WPYT\104[1].net[MTE3MTk6ODoxNg.exe]
Adware:Adware/CommAd - Not disinfected - C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\416BCPI3\installer[1].exe
Adware:Adware/Maxifiles - Not disinfected - C:\Documents and Settings\Administrator\Local Settings\Temp\b122.exe[mc-0-0-0.exe]
Adware:Adware/Maxifiles - Not disinfected - C:\Documents and Settings\Administrator\Local Settings\Temp\b122.exe[mc-0-0-0.exe][ipwins.exe]
Adware:Adware/Maxifiles - Not disinfected - C:\Documents and Settings\Administrator\Local Settings\Temp\b122.exe[mc-0-0-0.exe][ipwins.dll]
Adware:Adware/ISearch - Not disinfected - C:\Documents and Settings\Administrator\Local Settings\Temp\b104.exe[MTE3MTk6ODoxNg.exe]
Adware:Adware/Sqwire - Not disinfected - C:\Documents and Settings\Administrator\Local Settings\Temp\b103.exe
Potentially unwanted tool:Application/Winantivirus2006 - Not disinfected - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CKQBMFBT\ErrorSafeNewReleaseInstall[1].cab[UERS_9999_N91S2507NetInstaller.exe]
Potentially unwanted tool:Application/Winantivirus2006 - Not disinfected - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5220QTN4\WinAntiVirusPro2006FreeInstall[1].exe
Spyware:Cookie/LinkExchange - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@linkexchange[1].txt
Spyware:Cookie/Preferences - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@preferences[2].txt
Spyware:Cookie/Hitbox - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt
Spyware:Cookie/2o7 - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
Spyware:Cookie/Traffic Marketplace - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
Spyware:Cookie/WebtrendsLive - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@S111319[1].txt
Spyware:Cookie/QuestionMarket - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
Spyware:Cookie/Com.com - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt
Spyware:Cookie/Bluestreak - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
Spyware:Cookie/Humanclick - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@hc2.humanclick[1].txt
Spyware:Cookie/Eyeblaster - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@www.eyeblaster-bs[1].txt
Spyware:Cookie/CentrPort - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@centrport[1].txt
Spyware:Cookie/DriveCleaner - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@www.drivecleaner[1].txt
Spyware:Cookie/PointRoll - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Spyware:Cookie/CentrPort - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@centrport[2].txt
Spyware:Cookie/Go - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt
Spyware:Cookie/Bridgetrack - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[1].txt
Spyware:Cookie/Overture - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
Spyware:Cookie/Mediaplex - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
Spyware:Cookie/DriveCleaner - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@stats.drivecleaner[2].txt
Spyware:Cookie/TargetSaver - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@targetsaver[2].txt
Spyware:Cookie/Winantivirus - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@winantivirus[1].txt
Spyware:Cookie/Tribalfusion - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
Spyware:Cookie/myaffiliateprogram - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[2].txt
Spyware:Cookie/Overture - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
Spyware:Cookie/Reliablestats - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt
Spyware:Cookie/Azjmp - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@azjmp[1].txt
Spyware:Cookie/Hitbox - Not disinfected - C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[3].txt
Adware:Adware/Sqwire - Not disinfected - C:\Program Files\Common Files\iqzw\iqzwd\iqzwc.dll
Adware:Adware/Sqwire - Not disinfected - C:\Program Files\Common Files\iqzw\iqzwm.exe
Adware:Adware/Sqwire - Not disinfected - C:\Program Files\Common Files\iqzw\iqzwl.exe
Adware:Adware/Sqwire - Not disinfected - C:\Program Files\Common Files\iqzw\iqzwa.exe
Adware:Adware/Sqwire - Not disinfected - C:\Program Files\Common Files\iqzw\iqzwp.exe
Adware:Adware/Yazzle - Not disinfected - C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
Adware:Adware/OuterInfo - Not disinfected - C:\Program Files\Outerinfo\OiUninstaller.exe
Adware:Adware/Maxifiles - Not disinfected - C:\Program Files\Ipwindows\ipwins.exe
Adware:Adware/Maxifiles - Not disinfected - C:\Program Files\Ipwindows\ipwins.dll
Hacktool:HackTool/DiskInfo.A - Not disinfected - C:\Inetpub\ftproot\diskinfo.exe
Adware:Adware/IEDriver - Not disinfected - F:\quickbooks\User_Files\Amy_West\amy2\Data\all_files4.exe[setup_td.exe]
Adware:Adware/BrowserAid - Not disinfected - F:\quickbooks\User_Files\Amy_West\amy2\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/eZula - Not disinfected - F:\quickbooks\User_Files\Amy_West\amy2\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos - Not disinfected - F:\quickbooks\User_Files\Amy_West\amy2\Data\all_files4.exe[apropos_client_loader.exe]
Adware:Adware/IEDriver - Not disinfected - F:\quickbooks\User_Files\Amy_West\amy2\Data\Data\all_files4.exe[setup_td.exe]
Adware:Adware/BrowserAid - Not disinfected - F:\quickbooks\User_Files\Amy_West\amy2\Data\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/eZula - Not disinfected - F:\quickbooks\User_Files\Amy_West\amy2\Data\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos - Not disinfected - F:\quickbooks\User_Files\Amy_West\amy2\Data\Data\all_files4.exe[apropos_client_loader.exe]
Adware:Adware/IEDriver - Not disinfected - F:\quickbooks\User_Files\Robin_Sullivan\Data\all_files4.exe[setup_td.exe]
Adware:Adware/BrowserAid - Not disinfected - F:\quickbooks\User_Files\Robin_Sullivan\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/eZula - Not disinfected - F:\quickbooks\User_Files\Robin_Sullivan\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos - Not disinfected - F:\quickbooks\User_Files\Robin_Sullivan\Data\all_files4.exe[apropos_client_loader.exe]
Adware:Adware/IEDriver - Not disinfected - F:\quickbooks\User_Files\Robin_Sullivan\Data\Data\all_files4.exe[setup_td.exe]
Adware:Adware/BrowserAid - Not disinfected - F:\quickbooks\User_Files\Robin_Sullivan\Data\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/eZula - Not disinfected - F:\quickbooks\User_Files\Robin_Sullivan\Data\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos - Not disinfected - F:\quickbooks\User_Files\Robin_Sullivan\Data\Data\all_files4.exe[apropos_client_loader.exe]
 
I forgot to mention that these logs were generated after a full system scan with NAV and also a full scan with Spybot S&D while in safe mode.

Thanks,

Woody
 
Hi woodywoodtucker

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
 
If possible I would like to attempt to clean the system before re-formatting and re-loading the data. Any help you can provide would be greatly appreciated.

For the time being, I am going to disconnect this PC from the network and load my applications on a Windows 2003 Server. Thanks for the updates, and I look forward to hearing from you again.

Thanks,

Woody
 
Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
Thanks for the steps. Here are the results:

Report.txt


SDFix: Version 1.59

Tue 01/16/2007 - 12:52:00.25

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

MSDisk
MSWindows
wins

Path:

"C:\WINNT\system32\irdvxc.exe" /service
"C:\WINNT\system32\urdvxc.exe" /service
%SystemRoot%\System32\wins.exe

MSDisk Deleted
MSWindows Deleted
wins Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting

Normal Mode:

Checking Files:


Files will be copied to Backups folder then removed:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\autorun.inf - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\setup.exe - Deleted
C:\WINNT\system32\.exe - Deleted
C:\WINNT\system32\g.exe - Deleted
C:\WINNT\system32\i - Deleted
C:\WINNT\system32\nice.exe - Deleted
C:\WINNT\system32\u.exe - Deleted
C:\WINNT\system32\update.exe - Deleted
C:\WINNT\system32\urdvxc.exe - Deleted



Alternate Stream Check:

C:\WINNT\system32
No streams found.
Final Check:

Remaining Services:
------------------


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with hidden attributes:

C:\NTDETECT.COM
C:\WINNT\system32\tuvsssr.dll
C:\WINNT\system32\samdump.dll
C:\WINNT\system32\yayaa.dll
C:\WINNT\system32\gebabyx.dll
C:\WINNT\system32\gebbbcy.dll
C:\WINNT\system32\mljgfgf.dll
C:\WINNT\system32\vturqnl.dll
C:\WINNT\system32\gebcyvs.dll
C:\WINNT\system32\Timer.dll
C:\WINNT\UmljaGFyZCBZYXRlcw\asappsrv.dll
C:\arcldr.exe
C:\arcsetup.exe
C:\WINNT\system32\clemail.exe
C:\WINNT\system32\pwdump2.exe
C:\WINNT\system32\cn.exe
C:\WINNT\system32\Winmsi.exe
C:\WINNT\system32\??pPatch\wuaclt.exe
C:\WINNT\UmljaGFyZCBZYXRlcw\command.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\PAGEFILE.SYS
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS

Finished

and HijackThis.log

Logfile of HijackThis v1.99.1
Scan saved at 1:02:21 PM, on 1/16/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\termsrv.exe
c:\winnt\system32\Winmsi.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\winnt\system32\cn.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\dmadmin.exe
C:\Program Files\NavNT\vptray.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\PROGRA~1\COMMON~1\iqzw\iqzwm.exe
C:\WINNT\system32\PPATCH~1\wuaclt.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\COMMON~1\iqzw\iqzwa.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\COMMON~1\iqzw\iqzwl.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {56FCF203-43EA-694A-B9EF-47A6082ACD90} - C:\WINNT\system32\ohisam.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56FCF203-43EA-694A-B9EF-47A6082ACD90} - C:\WINNT\system32\ohisam.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\seqpxwox.dll",setvm
O4 - HKLM\..\Run: [NetCat] C:\winnt\system32\a.exe nc.bat
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure] net share ADMIN$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share C$ /delete /yes
O4 - HKCU\..\Run: [iqzw] C:\PROGRA~1\COMMON~1\iqzw\iqzwm.exe
O4 - HKCU\..\Run: [Ebsm] "C:\WINNT\system32\PPATCH~1\wuaclt.exe" -vt yazb
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {1663ED61-23EB-11D2-B92F-008048FDD814} (MeadCo ScriptX) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {171F3010-C356-11D3-907B-00AA00443984} (strprint.trprints) - https://partnering.one.microsoft.com/mcp/certtools/MCPTranscriptPrint.CAB
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://www.meadroid.com/scriptx/beta/smsx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F60A13-71A8-4CD8-AC46-4DCF55DD587E}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: Alerter - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - c:\winnt\svhots.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: TCP/IP NetBIOS Helper Service (LmHosts) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Messenger - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: ccApp (NavUpt) - Unknown owner - c:\winnt\system32\ccProxy.exe
O23 - Service: Network DDECON (NetDDC) - Unknown owner - C:\WINNT\system32\netcon.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Kernel System Process (NTKernel) - Unknown owner - C:\WINNT\system32\medctroc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - c:\winnt\system32\spoolmgr.exe" /service (file missing)
O23 - Service: RunAs Service (seclogon) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Spools Print spol (Spools) - Unknown owner - C:\WINNT\system32\spools.exe
O23 - Service: Distributed Link Tracking Server (TrkSvr) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Winlogon (WINlog) - Unknown owner - c:\winnt\system32\Winmsi.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINNT\system32\Services.exe
 
Hi

Looking better

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Send:

- a fresh HijackThis log
- combofix report
- vundofix report
 
OK, downloaded and ran the programs you suggested... here are the results:
HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:33 AM, on 1/17/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\termsrv.exe
c:\winnt\system32\Winmsi.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\winnt\system32\cn.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\PROGRA~1\COMMON~1\iqzw\iqzwm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\COMMON~1\iqzw\iqzwa.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsgSys.EXE
C:\PROGRA~1\COMMON~1\iqzw\iqzwl.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {56FCF203-43EA-694A-B9EF-47A6082ACD90} - C:\WINNT\system32\ohisam.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56FCF203-43EA-694A-B9EF-47A6082ACD90} - C:\WINNT\system32\ohisam.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [NetCat] C:\winnt\system32\a.exe nc.bat
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure] net share ADMIN$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share C$ /delete /yes
O4 - HKCU\..\Run: [iqzw] C:\PROGRA~1\COMMON~1\iqzw\iqzwm.exe
O4 - HKCU\..\Run: [Ebsm] "C:\WINNT\system32\PPATCH~1\wuaclt.exe" -vt yazb
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {1663ED61-23EB-11D2-B92F-008048FDD814} (MeadCo ScriptX) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {171F3010-C356-11D3-907B-00AA00443984} (strprint.trprints) - https://partnering.one.microsoft.com/mcp/certtools/MCPTranscriptPrint.CAB
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://www.meadroid.com/scriptx/beta/smsx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F60A13-71A8-4CD8-AC46-4DCF55DD587E}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: Alerter - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - c:\winnt\svhots.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: TCP/IP NetBIOS Helper Service (LmHosts) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Messenger - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: ccApp (NavUpt) - Unknown owner - c:\winnt\system32\ccProxy.exe
O23 - Service: Network DDECON (NetDDC) - Unknown owner - C:\WINNT\system32\netcon.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Kernel System Process (NTKernel) - Unknown owner - C:\WINNT\system32\medctroc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - c:\winnt\system32\spoolmgr.exe" /service (file missing)
O23 - Service: RunAs Service (seclogon) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Spools Print spol (Spools) - Unknown owner - C:\WINNT\system32\spools.exe
O23 - Service: Distributed Link Tracking Server (TrkSvr) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Winlogon (WINlog) - Unknown owner - c:\winnt\system32\Winmsi.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINNT\system32\Services.exe

ComboFix.txt:

"Administrator" - Tue 01/16/2007 15:07:33 Service Pack 3
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINNT\system32\2.exe
C:\WINNT\system32\a.txt
C:\WINNT\system32\2.exe
C:\Program Files\Ipwindows\ipwins.dll
C:\Program Files\Ipwindows\ipwins.exe
C:\WINNT\system32\unsvchosts.lzma
C:\Program Files\Ipwindows
C:\Program Files\Outerinfo
C:\Program Files\VSAdd-in
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINNT\system32\PPATCH~1
C:\qoobox\purity\WINNT\system32\PPATCH~1\??pPatch
C:\qoobox\purity\WINNT\system32\PPATCH~1\wuaclt.exe


((((((((((((((((((((((((((((((( Files Created from 2006-12-16 to 2007-01-16 ))))))))))))))))))))))))))))))))))


2007-01-16 09:58 <DIR> d-------- C:\SDFix
2007-01-15 16:28 60,416 --a------ C:\WINNT\system32\ohisam.dll
2007-01-15 05:28 46 --a------ C:\WINNT\scan500.bat
2007-01-15 04:22 61,440 --ahs---- C:\WINNT\system32\Winmsi.exe
2007-01-15 04:21 48,640 --ahs---- C:\WINNT\system32\cn.exe
2007-01-15 04:21 106 --a------ C:\WINNT\system32\hide.reg
2007-01-15 04:20 65,536 --a------ C:\WINNT\psservice.exe
2007-01-15 04:20 147,456 --a------ C:\WINNT\psshutdown.exe
2007-01-15 04:20 106,496 --a------ C:\WINNT\pssuspend.exe
2007-01-15 04:19 86,016 --a------ C:\WINNT\psloglist.exe
2007-01-15 04:19 86,016 --a------ C:\WINNT\pslist.exe
2007-01-15 04:19 61,440 --a------ C:\WINNT\psloggedon.exe
2007-01-15 04:19 57,344 --a------ C:\WINNT\pspasswd.exe
2007-01-15 04:19 49,152 --a------ C:\WINNT\psfile.exe
2007-01-15 04:19 143,360 --a------ C:\WINNT\Psinfo.exe
2007-01-15 04:19 143,360 --a------ C:\WINNT\psexec.exe
2007-01-15 04:19 126,976 --a------ C:\WINNT\psgetsid.exe
2007-01-15 04:19 122,880 --a------ C:\WINNT\pskill.exe
2007-01-15 04:15 86,016 --a------ C:\WINNT\system32\pslist.exe
2007-01-15 04:15 65,536 --a------ C:\WINNT\system32\psservice.exe
2007-01-15 04:15 122,880 --a------ C:\WINNT\system32\pskill.exe
2007-01-15 04:15 114,688 --a------ C:\WINNT\system32\fport.exe
2007-01-11 10:08 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-01-10 12:02 2 --a------ C:\WINNT\system32\wcpcc.exe
2007-01-09 09:38 <DIR> d-------- C:\WINNT\iqzw
2007-01-09 09:38 <DIR> d-------- C:\Program Files\Common Files\iqzw
2007-01-09 09:11 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Help
2007-01-08 11:14 0 --a------ C:\WINNT\system32\evil.exe
2007-01-08 10:52 118 --a------ C:\WINNT\system32\geltf.bat
2007-01-08 09:21 33,952 --a------ C:\WINNT\system32\drivers\oreans32.sys
2007-01-08 08:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-08 05:16 <DIR> d--hs---- C:\WINNT\UmljaGFyZCBZYXRlcw
2007-01-08 04:52 92,485 --a------ C:\WINNT\system32\mc-110-12-0000144.exe
2007-01-08 04:31 831 --a------ C:\WINNT\system32\_NavCClt.dll
2007-01-08 04:31 5 --a------ C:\WINNT\system32\start.dll
2007-01-08 04:31 3 --a------ C:\WINNT\system32\system.dll
2007-01-08 04:31 3 --a------ C:\WINNT\system32\off.dll
2007-01-07 07:02 94,208 --a------ C:\WINNT\system32\psk.exe
2007-01-07 07:02 86,016 --a------ C:\WINNT\system32\psl.exe
2007-01-07 07:02 6,144 --a------ C:\WINNT\system32\Hiderun.exe
2007-01-07 07:02 2,824 --a------ C:\WINNT\system32\winrundll32.dll
2007-01-07 07:02 131,072 --a------ C:\WINNT\system32\Psinfo.exe
2007-01-07 07:02 1,935 --a------ C:\WINNT\system32\cnbjman.dll
2007-01-07 07:02 <DIR> d-------- C:\recycler
2007-01-07 07:01 808 --a------ C:\WINNT\system32\ReStartS.bat
2007-01-07 07:01 201,216 --a------ C:\WINNT\system32\unrar.exe
2007-01-06 18:41 81,684 --a------ C:\WINNT\system32\gcppbeev.dll
2007-01-03 18:28 118,804 --a------ C:\WINNT\system32\seqpxwox.dll
2006-12-30 18:43 44,060 --a------ C:\WINNT\system32\xyvckylu.dll
2006-12-30 18:42 81,684 --a------ C:\WINNT\system32\lcbljqna.dll
2006-12-28 16:24 57,856 --a------ C:\urdvxc.exe
2006-12-27 19:25 103,248 -ra------ C:\WINNT\system32\wdfmrg.exe
2006-12-26 09:50 <DIR> d-------- C:\FOUND.001
2006-12-23 17:50 22,541 ---hs---- C:\WINNT\system32\gebcyvs.dll
2006-12-23 17:23 22,541 ---hs---- C:\WINNT\system32\vturqnl.dll
2006-12-23 15:26 22,541 ---hs---- C:\WINNT\system32\mljgfgf.dll
2006-12-23 08:58 826,219 ---hs---- C:\WINNT\system32\aayay.bak2
2006-12-22 19:19 22,541 ---hs---- C:\WINNT\system32\gebbbcy.dll
2006-12-22 18:21 22,541 ---hs---- C:\WINNT\system32\tuvsssr.dll
2006-12-22 09:02 943,484 ---hs---- C:\WINNT\system32\aayay.bak1
2006-12-22 08:56 277,044 ---hs---- C:\WINNT\system32\yayaa.dll
2006-12-22 08:04 22,541 ---hs---- C:\WINNT\system32\gebabyx.dll
2006-12-19 20:35 4,267 --a------ C:\U.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-09 11:26 831 --a------ C:\WINNT\system32\_navcclt.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"iqzw"="C:\\PROGRA~1\\COMMON~1\\iqzw\\iqzwm.exe"
"Ebsm"="\"C:\\WINNT\\system32\\PPATCH~1\\wuaclt.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"mdac_runonce"="C:\\WINNT\\System32\\runonce.exe"
"3c1807pd"="C:\\WINNT\\SYSTEM32\\3cmlink.exe RunServices \\Device\\3cpipe-3c1807pd"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"TLogonPath"="\"c:\\program files\\timbuktu pro\\tb2logon.exe\""
"DllRunning"="rundll32.exe \"C:\\WINNT\\system32\\seqpxwox.dll\",setvm"
"NetCat"="C:\\winnt\\system32\\a.exe nc.bat"
"NetworkStartup"="net share IPC$ /delete /yes"
"Secure"="net share ADMIN$ /delete /yes"
"Secure1"="net share C$ /delete /yes"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{087FC023-DC5B-41E6-9286-953D382070C1}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft"="qtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTKernel
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WINlog

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
tapisrv REG_MULTI_SZ Tapisrv\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070110-155050-601
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{342DD~1\Bar888.dll (file missing)
backup-20070110-155050-104
O2 - BHO: (no name) - {087FC023-DC5B-41E6-9286-953D382070C1} - C:\WINNT\system32\tuvsssr.dll
backup-20070110-155050-884
O2 - BHO: (no name) - {2AD5C79D-7D05-4FA5-BBEE-8C947456490A} - C:\WINNT\system32\yayaa.dll
backup-20070110-155050-496
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINNT\system32\xyvckylu.dll
backup-20070110-155050-779
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{342DD~1\Bar888.dll (file missing)
backup-20070110-155050-187
R3 - URLSearchHook: (no name) - {CCF40B53-E2BE-971A-BB4F-ED6C546F0491} - C:\WINNT\system32\cbh.dll
backup-20070110-155050-868
O4 - HKLM\..\Run: [{142DDAE9-02E0-1033-0621-009809080001}] "C:\Program Files\Common Files\{142DDAE9-02E0-1033-0621-009809080001}\Update.exe" mc-110-12-0000144
backup-20070110-155050-408
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
backup-20070110-155050-402
O4 - HKLM\..\Run: [{142DDAE9-02E1-1033-0621-009809080001}] "C:\Program Files\Common Files\{142DDAE9-02E1-1033-0621-009809080001}\Update.exe" mc-110-12-0000144
backup-20070110-155050-156
O20 - Winlogon Notify: tuvsssr - C:\WINNT\SYSTEM32\tuvsssr.dll
backup-20070110-155050-240
O20 - Winlogon Notify: yayaa - C:\WINNT\system32\yayaa.dll
Completion time: Tue 2007-01-16 15:10:07

VundoFix.txt:


VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 3:11:20 PM 1/16/2007

Listing files found while scanning....

C:\WINNT\system32\gcppbeev.dll
C:\WINNT\system32\gebabyx.dll
C:\WINNT\system32\gebbbcy.dll
C:\WINNT\system32\gebcyvs.dll
C:\WINNT\system32\lcbljqna.dll
C:\WINNT\system32\ltrojwnp.dll
C:\WINNT\system32\mljgfgf.dll
C:\WINNT\system32\seqpxwox.dll
C:\WINNT\system32\tuvsssr.dll
C:\WINNT\system32\vturqnl.dll
C:\WINNT\system32\xowxpqes.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\gcppbeev.dll
C:\WINNT\system32\gcppbeev.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gebabyx.dll
C:\WINNT\system32\gebabyx.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gebbbcy.dll
C:\WINNT\system32\gebbbcy.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gebcyvs.dll
C:\WINNT\system32\gebcyvs.dll Has been deleted!

Attempting to delete C:\WINNT\system32\lcbljqna.dll
C:\WINNT\system32\lcbljqna.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mljgfgf.dll
C:\WINNT\system32\mljgfgf.dll Has been deleted!

Attempting to delete C:\WINNT\system32\seqpxwox.dll
C:\WINNT\system32\seqpxwox.dll Has been deleted!

Attempting to delete C:\WINNT\system32\tuvsssr.dll
C:\WINNT\system32\tuvsssr.dll Has been deleted!

Attempting to delete C:\WINNT\system32\vturqnl.dll
C:\WINNT\system32\vturqnl.dll Has been deleted!

Attempting to delete C:\WINNT\system32\xowxpqes.ini
C:\WINNT\system32\xowxpqes.ini Has been deleted!

Performing Repairs to the registry.
Done!
 
Hi

That combofix log is taken before vundofix.

Please re-run combofix and send its log here :)
 
I apoligize for the confusion. Here is the new combofix.txt log file:

"Administrator" - Wed 01/17/2007 12:21:12 Service Pack 3
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINNT\system32\PPATCH~1
C:\qoobox\purity\WINNT\system32\PPATCH~1\??pPatch
C:\qoobox\purity\WINNT\system32\PPATCH~1\wuaclt.exe


((((((((((((((((((((((((((((((( Files Created from 2006-12-17 to 2007-01-17 ))))))))))))))))))))))))))))))))))


2007-01-16 15:11 <DIR> d-------- C:\VundoFix Backups
2007-01-16 09:58 <DIR> d-------- C:\SDFix
2007-01-15 16:28 60,416 --a------ C:\WINNT\system32\ohisam.dll
2007-01-15 05:28 46 --a------ C:\WINNT\scan500.bat
2007-01-15 04:22 61,440 --ahs---- C:\WINNT\system32\Winmsi.exe
2007-01-15 04:21 48,640 --ahs---- C:\WINNT\system32\cn.exe
2007-01-15 04:21 106 --a------ C:\WINNT\system32\hide.reg
2007-01-15 04:20 65,536 --a------ C:\WINNT\psservice.exe
2007-01-15 04:20 147,456 --a------ C:\WINNT\psshutdown.exe
2007-01-15 04:20 106,496 --a------ C:\WINNT\pssuspend.exe
2007-01-15 04:19 86,016 --a------ C:\WINNT\psloglist.exe
2007-01-15 04:19 86,016 --a------ C:\WINNT\pslist.exe
2007-01-15 04:19 61,440 --a------ C:\WINNT\psloggedon.exe
2007-01-15 04:19 57,344 --a------ C:\WINNT\pspasswd.exe
2007-01-15 04:19 49,152 --a------ C:\WINNT\psfile.exe
2007-01-15 04:19 143,360 --a------ C:\WINNT\Psinfo.exe
2007-01-15 04:19 143,360 --a------ C:\WINNT\psexec.exe
2007-01-15 04:19 126,976 --a------ C:\WINNT\psgetsid.exe
2007-01-15 04:19 122,880 --a------ C:\WINNT\pskill.exe
2007-01-15 04:15 86,016 --a------ C:\WINNT\system32\pslist.exe
2007-01-15 04:15 65,536 --a------ C:\WINNT\system32\psservice.exe
2007-01-15 04:15 122,880 --a------ C:\WINNT\system32\pskill.exe
2007-01-15 04:15 114,688 --a------ C:\WINNT\system32\fport.exe
2007-01-11 10:08 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-01-10 12:02 2 --a------ C:\WINNT\system32\wcpcc.exe
2007-01-09 09:38 <DIR> d-------- C:\WINNT\iqzw
2007-01-09 09:38 <DIR> d-------- C:\Program Files\Common Files\iqzw
2007-01-09 09:11 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Help
2007-01-08 11:14 0 --a------ C:\WINNT\system32\evil.exe
2007-01-08 10:52 118 --a------ C:\WINNT\system32\geltf.bat
2007-01-08 09:21 33,952 --a------ C:\WINNT\system32\drivers\oreans32.sys
2007-01-08 08:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-08 05:16 <DIR> d--hs---- C:\WINNT\UmljaGFyZCBZYXRlcw
2007-01-08 04:52 92,485 --a------ C:\WINNT\system32\mc-110-12-0000144.exe
2007-01-08 04:31 831 --a------ C:\WINNT\system32\_NavCClt.dll
2007-01-08 04:31 5 --a------ C:\WINNT\system32\start.dll
2007-01-08 04:31 3 --a------ C:\WINNT\system32\system.dll
2007-01-08 04:31 3 --a------ C:\WINNT\system32\off.dll
2007-01-07 07:02 94,208 --a------ C:\WINNT\system32\psk.exe
2007-01-07 07:02 86,016 --a------ C:\WINNT\system32\psl.exe
2007-01-07 07:02 6,144 --a------ C:\WINNT\system32\Hiderun.exe
2007-01-07 07:02 2,824 --a------ C:\WINNT\system32\winrundll32.dll
2007-01-07 07:02 131,072 --a------ C:\WINNT\system32\Psinfo.exe
2007-01-07 07:02 1,935 --a------ C:\WINNT\system32\cnbjman.dll
2007-01-07 07:02 <DIR> d-------- C:\recycler
2007-01-07 07:01 808 --a------ C:\WINNT\system32\ReStartS.bat
2007-01-07 07:01 201,216 --a------ C:\WINNT\system32\unrar.exe
2006-12-30 18:43 44,060 --a------ C:\WINNT\system32\xyvckylu.dll
2006-12-28 16:24 57,856 --a------ C:\urdvxc.exe
2006-12-27 19:25 103,248 -ra------ C:\WINNT\system32\wdfmrg.exe
2006-12-26 09:50 <DIR> d-------- C:\FOUND.001
2006-12-23 08:58 826,219 ---hs---- C:\WINNT\system32\aayay.bak2
2006-12-22 09:02 943,484 ---hs---- C:\WINNT\system32\aayay.bak1
2006-12-22 08:56 277,044 ---hs---- C:\WINNT\system32\yayaa.dll
2006-12-19 20:35 4,267 --a------ C:\U.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-09 11:26 831 --a------ C:\WINNT\system32\_navcclt.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"iqzw"="C:\\PROGRA~1\\COMMON~1\\iqzw\\iqzwm.exe"
"Ebsm"="\"C:\\WINNT\\system32\\PPATCH~1\\wuaclt.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"mdac_runonce"="C:\\WINNT\\System32\\runonce.exe"
"3c1807pd"="C:\\WINNT\\SYSTEM32\\3cmlink.exe RunServices \\Device\\3cpipe-3c1807pd"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"TLogonPath"="\"c:\\program files\\timbuktu pro\\tb2logon.exe\""
"NetCat"="C:\\winnt\\system32\\a.exe nc.bat"
"NetworkStartup"="net share IPC$ /delete /yes"
"Secure"="net share ADMIN$ /delete /yes"
"Secure1"="net share C$ /delete /yes"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{087FC023-DC5B-41E6-9286-953D382070C1}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft"="qtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTKernel
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WINlog

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
tapisrv REG_MULTI_SZ Tapisrv\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0


Completion time: Wed 2007-01-17 12:23:18
C:\ComboFix2.txt ... 07-01-16 15:10
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: (no name) - {56FCF203-43EA-694A-B9EF-47A6082ACD90} - C:\WINNT\system32\ohisam.dll
O2 - BHO: (no name) - {56FCF203-43EA-694A-B9EF-47A6082ACD90} - C:\WINNT\system32\ohisam.dll
O4 - HKLM\..\Run: [NetCat] C:\winnt\system32\a.exe nc.bat
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure] net share ADMIN$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share C$ /delete /yes
O4 - HKCU\..\Run: [iqzw] C:\PROGRA~1\COMMON~1\iqzw\iqzwm.exe
O4 - HKCU\..\Run: [Ebsm] "C:\WINNT\system32\PPATCH~1\wuaclt.exe" -vt yazb

Close all windows including browser and press fix checked.

Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html <--- essential!

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Delete if present:

C:\WINNT\system32\wcpcc.exe
C:\WINNT\iqzw
C:\Program Files\Common Files\iqzw
C:\WINNT\system32\ohisam.dll
C:\WINNT\system32\xyvckylu.dll
C:\urdvxc.exe
C:\WINNT\system32\wdfmrg.exe
C:\WINNT\system32\aayay.bak2
C:\WINNT\system32\aayay.bak1
C:\WINNT\system32\yayaa.dll
C:\U.exe
C:\WINNT\system32\Winmsi.exe
C:\WINNT\system32\cn.exe
C:\WINNT\system32\evil.exe
C:\WINNT\system32\geltf.bat
C:\WINNT\system32\drivers\oreans32.sys
C:\WINNT\UmljaGFyZCBZYXRlcw
C:\WINNT\system32\mc-110-12-0000144.exe

Empty Recycle Bin

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Download F-Secure Blacklight and save it to your desktop -> https://europe.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)

Please post:
  1. blacklight log
  2. AVG Anti-Spyware log
  3. A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
 
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 9:02:24 AM, on 1/18/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\mdm.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {1663ED61-23EB-11D2-B92F-008048FDD814} (MeadCo ScriptX) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {171F3010-C356-11D3-907B-00AA00443984} (strprint.trprints) - https://partnering.one.microsoft.com/mcp/certtools/MCPTranscriptPrint.CAB
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://www.meadroid.com/scriptx/beta/smsx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F60A13-71A8-4CD8-AC46-4DCF55DD587E}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{3E565B39-02D9-4D68-9D10-6429E46A7536}: NameServer = 64.238.96.12,66.180.96.12
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: Alerter - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - c:\winnt\svhots.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: TCP/IP NetBIOS Helper Service (LmHosts) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Messenger - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: ccApp (NavUpt) - Unknown owner - c:\winnt\system32\ccProxy.exe
O23 - Service: Network DDECON (NetDDC) - Unknown owner - C:\WINNT\system32\netcon.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Kernel System Process (NTKernel) - Unknown owner - C:\WINNT\system32\medctroc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - c:\winnt\system32\spoolmgr.exe" /service (file missing)
O23 - Service: RunAs Service (seclogon) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Spools Print spol (Spools) - Unknown owner - C:\WINNT\system32\spools.exe
O23 - Service: Distributed Link Tracking Server (TrkSvr) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINNT\system32\services.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINNT\System32\services.exe
O23 - Service: Winlogon (WINlog) - Unknown owner - c:\winnt\system32\Winmsi.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINNT\system32\Services.exe


AVG Anti-Spyware Log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:24:14 PM 1/17/2007

+ Scan result:



C:\temp\backups\backup-20070117-144458-731.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINNT\system32\svchosts.exe_old -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\WINNT\system32\samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump2 : Cleaned with backup (quarantined).
C:\WINNT\system32\wins\samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump2 : Cleaned with backup (quarantined).
C:\WINNT\system32\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/update.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.21 : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@oasc02.247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@track.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@centrport[2].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-intel.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.link4ads[1].txt -> TrackingCookie.Link4ads : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@gm.preferences[1].txt -> TrackingCookie.Preferences : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@preferences[2].txt -> TrackingCookie.Preferences : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@spinbox[1].txt -> TrackingCookie.Spinbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\VundoFix Backups\gebabyx.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\gebbbcy.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\gebcyvs.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\mljgfgf.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\tuvsssr.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\vturqnl.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\temp\backups\backup-20070110-155050-104.dll -> Trojan.AutoAff : Cleaned with backup (quarantined).


::Report end

The BlackLight Log came out at about 48MB. Would you prefer I zip and upload that?
 
Hi

If Blacklight log is 48 Mb, you have so serious rootkit infections that continuing this cleaning process is just waste of time for both of us.

I recommend to format & re-install; there's absolutely no point to continue.
 
Hi

You're welcome and I'm sorry that you had so severe infections that cleaning process got aborted :)
 
This Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top