Help please....Spyware has taken over!

Baabiouz · Jul 4, 2008

Hello

Step #1
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,

Code:

KillAll::

File::
C:\WINDOWS\SYSTEM32\rswnw64l.exe
C:\WINDOWS\SYSTEM32\11.tmp
C:\WINDOWS\SYSTEM32\iphone-011.ico
C:\WINDOWS\SYSTEM32\{58c2a5a9-2e8f-6f69-4e92-e40944b64c1b}.dll-uninst.exe
C:\WINDOWS\SYSTEM32\pinkip.ico
C:\WINDOWS\SYSTEM32\jkkKDurS.dll¨
C:\WINDOWS\SYSTEM32\xx_tcntaxdm.exe
C:\WINDOWS\SYSTEM32\uoyzsydz.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\window.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\accesss.exe

Folder::
C:\Program Files\xx_Outerinfo
C:\Program Files\xx_Network Monitor
C:\WINDOWS\SYSTEM32\netrax06
C:\WINDOWS\SYSTEM32\eb10
C:\WINDOWS\SYSTEM32\bgi¨
C:\WINDOWS\SYSTEM32\axc
C:\WINDOWS\SYSTEM32\8608
C:\WINDOWS\SYSTEM32\1049a
C:\Program Files\xx_mjc
C:\Program Files\xx_Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Driver::
jatmlano

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11A7A749-0381-4AE2-940B-27EC006D6006}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKDurS]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\Windows\\System32\\userinit.exe,"

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Step #2
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Step #3
Please download ATF-cleaner and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Step #4
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Acan" option is selected.
- Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step #5
Please post Combofix log, Sdfix log and Mbam log

hillcountry · Jul 5, 2008

:bigthumb:

Finally........I am on the "INFECTED" system .......I can get to the forum!!!!!!!!!

Thanks again for all your help...................

The requested logs follow:

COMBOFIX LOG:

ComboFix 08-07-01.5 - Kathy 2008-07-04 21:44:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.264 [GMT -5:00]
Running from: C:\Documents and Settings\Kathy\Desktop\Country1.exe
Command switches used :: C:\Documents and Settings\Kathy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\accesss.exe
C:\WINDOWS\SYSTEM32\{58c2a5a9-2e8f-6f69-4e92-e40944b64c1b}.dll-uninst.exe
C:\WINDOWS\SYSTEM32\11.tmp
C:\WINDOWS\SYSTEM32\iphone-011.ico
C:\WINDOWS\SYSTEM32\jkkKDurS.dll¨
C:\WINDOWS\SYSTEM32\pinkip.ico
C:\WINDOWS\SYSTEM32\rswnw64l.exe
C:\WINDOWS\SYSTEM32\uoyzsydz.exe
C:\WINDOWS\SYSTEM32\xx_tcntaxdm.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\xx_mjc
C:\Program Files\xx_mjc\mjc.exe
C:\Program Files\xx_Network Monitor
C:\Program Files\xx_Outerinfo
C:\Program Files\xx_Outerinfo\FF\chrome.manifest
C:\Program Files\xx_Outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\xx_Outerinfo\FF\install.rdf
C:\Program Files\xx_Viewpoint
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\ComponentMgr_03000C09.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\BlueStreak.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\GifReader.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\JpegReader.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\LensFlares.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\Mts2Reader.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\Mts3Reader.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\ObjectMovie.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\SceneComponent.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\ServiceComponent.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\SreeDMMX.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\SWFView.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\VMPSpeech.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\NewComponents\WaveletReader.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1054744159.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1257552095.712536053
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1476482372.712535979
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1550700062.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1675323418.713836840
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1744624506.713836803
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1767541886.713836716
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1792851963.712535981
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-30194386.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-685991849.712535954
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-708065856.713836749
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-732913299.712536002
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-763019087.713836937
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-96559883.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\1245642490.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\1310621514.MTZ
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\1461440338.712535953
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\1564877131.712535908
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\1570719127.mtz
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\1677212898.MTZ
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\1989748647.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\260856911.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\385814962.712536011
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\501688438.712536046
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\788574769.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\806019822.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\984838872.MTZ
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1041161462.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1216699398.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-167467785.712535921
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1735078747.713836821
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-2040853405.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-378119151.712535947
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-583022627.712535910
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-787478019.712535915
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-934711713.mzv
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-982355842.712536070
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1176327029.713836865
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1220223377.712535992
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1247495568.712535999
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1304666343.712536034
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\346281577.713836896
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\512589962.712536028
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\515913131.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\570073743.713863076
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\669323.MZV
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\768763562.712535994
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\860502393.712536026
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\925975223.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1140250495.713836908
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1149444489.712536068
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1219180738.713836830
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1270717649.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1438713594.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1610302144.712536009
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1651440994.712535931
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1703207075.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1801392204.712535990
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1817435829.712536059
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1819899927.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-2034384745.713836872
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-2108356295.712535989
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-243470204.712536022
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-300725744.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-409850055.MZV
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-41890203.712536041
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-582640680.712536049
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-668285516.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-72580264.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-764272172.712535942
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-873239058.mzv
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-874450858.mzv
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-876522365.mzv
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-876665365.mzv
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1180029957.SWF
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1229517749.712535939
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1385903037.713836769
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\143415706.712536017
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1520622600.712535996
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\172992995.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1912596568.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1958035952.MZV
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\407034558.ini
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\434599021.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\572282914.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\758311280.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1037005395.713836741
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1106322216.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1294591352.712536065
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1307685966.713836843
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1603077681.712535983
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1625577909.713836700
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1720476204.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1799102199.713836711
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1819776479.SWF
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1877319710.713836793
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1926077123.712535997
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1998781022.mzv
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-2026298244.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-244709335.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-53941009.swf
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-583862537.712536063
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-66919675.712536043
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-875462127.mzv
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-888421087.MTZ
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1071317150.713836906
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\119964245.713836888
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1310621507.MTS
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1382942631.713836864
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1385887584.713836838
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1418335590.713836807
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1669572585.712536032
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1838517554.712536007
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\2021793278.712535944
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\489659170.712536061
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\581741786.713836754
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\582067880.712535985
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\746857229.713836914
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\770800983.712535978
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\871600237.MZV
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\879056853.712535933
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\932053967.712536014
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\980018594.mtx
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Program Files\xx_Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\SYSTEM32\{58c2a5a9-2e8f-6f69-4e92-e40944b64c1b}.dll-uninst.exe
C:\WINDOWS\SYSTEM32\1049a
C:\WINDOWS\SYSTEM32\11.tmp
C:\WINDOWS\SYSTEM32\8608
C:\WINDOWS\SYSTEM32\8608\~!31774p.spt
C:\WINDOWS\SYSTEM32\axc
C:\WINDOWS\SYSTEM32\axc\ashcom3e.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\SYSTEM32\eb10
C:\WINDOWS\SYSTEM32\eb10\zvuxderr.exe
C:\WINDOWS\SYSTEM32\iphone-011.ico
C:\WINDOWS\SYSTEM32\netrax06
C:\WINDOWS\SYSTEM32\netrax06\netrax061083.exe
C:\WINDOWS\SYSTEM32\pinkip.ico
C:\WINDOWS\SYSTEM32\rswnw64l.exe
C:\WINDOWS\SYSTEM32\uoyzsydz.exe
C:\WINDOWS\SYSTEM32\xx_tcntaxdm.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JATMLANO
-------\Service_jatmlano

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-03 12:18 . 2008-07-03 12:52 <DIR> d-------- C:\Contry
2008-07-03 11:47 . 2008-07-03 12:16 <DIR> d-------- C:\Country
2008-07-03 10:27 . 2008-07-03 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-02 14:53 . 2008-07-02 14:53 <DIR> d-------- C:\Combo-Fix
2008-06-30 15:09 . 2008-06-30 15:09 <DIR> d-------- C:\Deckard
2008-06-29 16:39 . 2003-03-18 02:17 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-29 16:39 . 2008-06-29 16:39 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-29 12:40 . 2008-06-29 12:40 25,504 --a------ C:\WINDOWS\SYSTEM32\jkkKDurS.dll
2008-06-29 12:13 . 2008-06-29 12:43 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\AVGTOOLBAR
2008-06-29 11:18 . 2008-06-29 11:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Juniper Networks
2008-06-29 10:57 . 2008-06-29 10:57 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-06-29 10:27 . 2008-06-29 13:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\bgi
2008-06-29 10:27 . 2008-06-29 10:27 <DIR> d-------- C:\Temp\itmp4
2008-06-29 10:26 . 2008-06-29 10:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-29 10:26 . 2002-08-29 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-06-29 10:26 . 2008-06-29 10:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-11 04:07 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 15:26 10,240 ----a-w C:\WINDOWS\system32\drivers\BEEP.SYS
2008-06-16 13:25 --------- d-----w C:\Documents and Settings\Kathy\Application Data\Juniper Networks
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 03:08 --------- d-----w C:\Documents and Settings\Kathy\Application Data\U3
2007-09-06 01:41 53,472 ----a-w C:\Documents and Settings\Kathy\Application Data\GDIPFONTCACHEV1.DAT
2003-03-18 07:21 207,758 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-07-03_12.51.18.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-03 17:42:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-07-05 02:56:14 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11A7A749-0381-4AE2-940B-27EC006D6006}]
2008-06-29 12:40 25504 --a------ C:\WINDOWS\system32\jkkKDurS.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05 323584]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 20:38 987187]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-02 02:34 98304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-15 12:27 185896]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-03-18 02:16:11 45056]
HJTInstall.exe [2008-06-29 14:58:40 812344]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{11A7A749-0381-4AE2-940B-27EC006D6006}"= "C:\WINDOWS\system32\jkkKDurS.dll" [2008-06-29 12:40 25504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKDurS]
2008-06-29 12:40 25504 C:\WINDOWS\SYSTEM32\jkkKDurS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.NSPAC"= NSPAC32.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 18:05]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 10:05]
S3 MA311;NETGEAR Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\ma311n51.sys [2002-04-30 20:56]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\fide.sys [2005-04-19 18:50]
S3 ProtoWall;ProtoWall Defender;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 22:04:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 25088 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\jkkKDurS.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-04 22:09:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-05 03:09:38
ComboFix2.txt 2008-07-03 17:52:19

Pre-Run: 48,418,545,664 bytes free
Post-Run: 48,406,880,256 bytes free

396 --- E O F --- 2008-06-21 08:02:02

SDFIX LOG:

SDFix: Version 1.199
Run by Administrator on Fri 07/04/2008 at 10:38 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
clbdriver

Path :
\??\globalroot\systemroot\system32\drivers\clbdriver.sys

clbdriver - Deleted

Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting

Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\SYSTEM32\beep.sys" 4224 08/29/2002 06:00 AM
"C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS" 10240 06/29/2008 10:26 AM

Infected File Listed Below:

C:\WINDOWS\system32\DRIVERS\BEEP.SYS

File copied to Backups Folder
Attempting to replace beep.sys with original version

Original beep.sys Restored

"C:\WINDOWS\SYSTEM32\beep.sys" 4224 08/29/2002 06:00 AM
"C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys" 4224 07/01/2008 03:23 AM
"C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS" 4224 07/01/2008 03:23 AM

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\jkkKDurS.dll - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 22:51:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

clbdriver

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 12 May 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 20 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Kathy\Application Data\U3\temp\Launchpad Removal.exe"
Thu 27 Dec 2007 24,663 ..SHR --- "C:\Deckard\System Scanner\20080702004821\backup\DOCUME~1\Kathy\LOCALS~1\Temp\Juniper Networks\setup\NeoterisSetupApp.exe"

Finished!

HIGHJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:29 PM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.yahoo.com/video/play?vid=337678&fr=yvmtf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HJTInstall.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5303 bytes

MBAM LOG:

Malwarebytes' Anti-Malware 1.19
Database version: 922
Windows 5.1.2600 Service Pack 2

11:12:33 PM 7/4/2008
mbam-log-7-4-2008 (23-12-33).txt

Scan type: Quick Scan
Objects scanned: 42396
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\Wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\SYSTEM32\bgi (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Kathy\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kathy\Favorites\Online Pharmacy.url (Rogue.Link) -> Quarantined and deleted successfully.

Baabiouz · Jul 5, 2008

Hello!

Great job! :bigthumb: Looks much more better

Step #1
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,

Code:

File::
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{11A7A749-0381-4AE2-940B-27EC006D6006}"=-

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Step #2
Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.

Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.

Step #3
You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:

Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Step #4
Please post Combofix log, F-secure Blacklight log and a fresh HijackThis log back here

hillcountry · Jul 5, 2008

Thanks again for your help.

Installed and ran AVG 8.0.....reported nothing that was not fixed or removed.

Following are the requested new logs:

ComboFix.txt

ComboFix 08-07-01.5 - Kathy 2008-07-05 10:48:56.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255 [GMT -5:00]
Running from: C:\Documents and Settings\Kathy\Desktop\Country2.exe
Command switches used :: C:\Documents and Settings\Kathy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_clbdriver

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-04 23:04 . 2008-07-04 23:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-04 23:04 . 2008-07-04 23:04 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\Malwarebytes
2008-07-04 23:04 . 2008-07-04 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-04 23:04 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-04 23:04 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-04 22:56 . 2008-07-04 22:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 22:33 . 2008-07-04 22:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-04 22:22 . 2008-07-04 22:53 <DIR> d-------- C:\SDFix
2008-07-04 21:43 . 2008-07-04 22:10 <DIR> d-------- C:\Country1
2008-07-03 12:18 . 2008-07-03 12:52 <DIR> d-------- C:\Contry
2008-07-03 11:47 . 2008-07-03 12:16 <DIR> d-------- C:\Country
2008-07-03 10:27 . 2008-07-03 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-02 14:53 . 2008-07-02 14:53 <DIR> d-------- C:\Combo-Fix
2008-06-30 15:09 . 2008-06-30 15:09 <DIR> d-------- C:\Deckard
2008-06-29 16:39 . 2003-03-18 02:17 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-29 16:39 . 2008-06-29 16:39 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-29 12:13 . 2008-06-29 12:43 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\AVGTOOLBAR
2008-06-29 11:18 . 2008-06-29 11:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Juniper Networks
2008-06-29 10:57 . 2008-06-29 10:57 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-06-29 10:27 . 2008-06-29 10:27 <DIR> d-------- C:\Temp\itmp4
2008-06-29 10:26 . 2002-08-29 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-06-11 04:07 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 08:23 4,224 ----a-w C:\WINDOWS\system32\drivers\BEEP.SYS
2008-06-16 13:25 --------- d-----w C:\Documents and Settings\Kathy\Application Data\Juniper Networks
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 03:08 --------- d-----w C:\Documents and Settings\Kathy\Application Data\U3
2007-09-06 01:41 53,472 ----a-w C:\Documents and Settings\Kathy\Application Data\GDIPFONTCACHEV1.DAT
2003-03-18 07:21 207,758 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-07-03_12.51.18.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-02-25 02:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spmsg.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spmsg.dll
- 2005-02-25 02:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spuninst.exe
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spuninst.exe
- 2005-06-29 22:54:32 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\arpidfix.exe
+ 2005-06-29 21:54:32 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\arpidfix.exe
- 2005-02-25 02:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\spcustom.dll
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\spcustom.dll
- 2005-02-25 02:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\update.exe
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\update.exe
- 2005-02-25 02:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\updspapi.dll
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\updspapi.dll
+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2004-03-06 02:16:10 110,080 -c----w C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
+ 2004-03-06 02:16:11 499,712 -c----w C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
+ 2002-08-29 11:00:00 100,864 -c----w C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
+ 2002-08-29 11:00:00 468,480 -c----w C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
+ 2004-08-04 07:56:41 110,080 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-04 07:56:41 501,248 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
- 2008-07-03 17:42:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-07-05 15:58:51 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-07-01 08:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-05 03:33:43 790,528 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-05 03:33:43 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-01 08:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-05 03:33:30 790,528 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-05 03:33:30 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2004-08-04 07:56:49 1,032,192 ----a-w C:\WINDOWS\explorer.exe
+ 2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\explorer.exe
+ 2004-08-04 07:56:41 110,080 ------w C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
+ 2004-08-04 07:56:41 501,248 ------w C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\SYSTEM32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\SYSTEM32\clbcatq.dll
+ 2008-07-01 08:23:43 4,224 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys
- 2004-08-04 07:56:49 1,032,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
+ 2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
- 2004-08-04 07:56:57 57,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\spoolsv.exe
+ 2005-06-10 23:53:32 57,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\spoolsv.exe
- 2004-08-04 07:56:57 57,856 ----a-w C:\WINDOWS\SYSTEM32\spoolsv.exe
+ 2005-06-10 23:53:32 57,856 ----a-w C:\WINDOWS\SYSTEM32\spoolsv.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05 323584]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 20:38 987187]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-02 02:34 98304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-15 12:27 185896]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-03-18 02:16:11 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.NSPAC"= NSPAC32.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 18:05]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 10:05]
S3 MA311;NETGEAR Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\ma311n51.sys [2002-04-30 20:56]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\fide.sys [2005-04-19 18:50]
S3 ProtoWall;ProtoWall Defender;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 11:00:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-07-05 11:06:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-05 16:06:00
ComboFix2.txt 2008-07-05 03:09:46
ComboFix3.txt 2008-07-03 17:52:19

Pre-Run: 48,265,166,848 bytes free
Post-Run: 48,257,187,840 bytes free

170 --- E O F --- 2008-07-05 04:51:38

FSBL LOG

07/05/08 12:08:13 [Info]: BlackLight Engine 1.0.70 initialized
07/05/08 12:08:13 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/05/08 12:08:13 [Note]: 7019 4
07/05/08 12:08:13 [Note]: 7005 0
07/05/08 12:08:16 [Note]: 7006 0
07/05/08 12:08:16 [Note]: 7022 0
07/05/08 12:08:16 [Note]: 7011 184
07/05/08 12:08:16 [Note]: 7035 0
07/05/08 12:08:16 [Note]: 7026 0
07/05/08 12:08:16 [Note]: 7026 0
07/05/08 12:08:19 [Note]: FSRAW library version 1.7.1024
07/05/08 12:51:20 [Note]: 7007 0

HJT.LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:52 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.440.com/twtd/today.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.yahoo.com/video/play?vid=337678&fr=yvmtf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5415 bytes

I guess we are not done yet.......so maybe I am getting ahead of things, but FYI when I reboot, the system is still taking 7 to 9 minutes to boot up.......????

Again THANKS for your help...............

Baabiouz · Jul 5, 2008

Hello
I can't see any bugs in your logs

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
___________________

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

___________________

StartUpLite is a lightweight and simple to use application that allows you to speed up your system startup. --> StartUpLite

Please post a fresh hijackthis log and kaspersky log back here

hillcountry · Jul 5, 2008

Hello...........

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 05, 2008 19:24:44
Records in database: 916362

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 55479
Threat name 15
Infected objects 23
Suspicious objects 0
Duration of the scan 01:16:28

File name Threat name Threats count
C:\Program Files\MyTotalSearch\SrchAstt\1.bin\MTSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bf 1

C:\QooBox\Quarantine\C\Program Files\xx_mjc\mjc.exe.vir Infected: Trojan.Win32.Agent.tdb 1

C:\QooBox\Quarantine\C\WINDOWS\444.470.vir Infected: Trojan-Downloader.Win32.Small.wsi 1

C:\QooBox\Quarantine\C\WINDOWS\444.471.vir Infected: Trojan-Downloader.Win32.Small.xpf 1

C:\QooBox\Quarantine\C\WINDOWS\b152.exe.vir Infected: Trojan-Downloader.Win32.Agent.tkz 1

C:\QooBox\Quarantine\C\WINDOWS\CROSOF~1.NET\regsvr32.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg 1

C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: Hoax.Win32.Renos.vabt 1

C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1

C:\QooBox\Quarantine\C\WINDOWS\mrofinu72.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1

C:\QooBox\Quarantine\C\WINDOWS\portsv.exe.vir Infected: Trojan.Win32.Agent.sdd 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\11.tmp.vir Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\axc\ashcom3e.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bn 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\eb10\zvuxderr.exe.vir Infected: Trojan.Win32.DNSChanger.ebg 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\netrax06\netrax061083.exe.vir Infected: Trojan-Downloader.Win32.VB.eyc 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pphctblj0ea3r.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rswnw64l.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bn 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bn 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tcntaxdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bo 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tcntstdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bo 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uoyzsydz.exe.vir Infected: Hoax.Win32.Renos.vabt 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xx_tcntaxdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bo 1

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1791\A0090177.exe Infected: Trojan.Win32.DNSChanger.eyr 1

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1794\A0091346.exe Infected: Trojan.Win32.Agent.tdb 1

The selected area was scanned.

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:06 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Kathy\Local Settings\temp\jkos-Kathy\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.440.com/twtd/today.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.yahoo.com/video/play?vid=337678&fr=yvmtf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/J...c5/&filename=jinstall-6u6-windows-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6153 bytes

Thanks again for your help

hillcountry · Jul 8, 2008

Did the last logs give me a clean bill of health??

Thanks again for all your help!!!!!!!!!!!!!!!!!!

Baabiouz · Jul 8, 2008

Hello

I'm sorry delay.

Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

MyTotalSearch (or Mywebsearch)

_______________

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\MyTotalSearch
_______________

Now computer looks clean but you have to install firewall:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
(At installing Zonealarm, please uncheck this option "include a ZoneAlarm Spy Blocker...". The Toolbar is not recommended... You can read more about it here.)
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Please post a fresh HijackThis log back here

hillcountry · Jul 8, 2008

Hello again,

Nothing to remove in control panel...........

Mytotalsearch deleted from C:/program files..........

Zone Alarm Installed.............

New HJT Log File follows, but first a question..........

I did run the "StartUpLite" program you suggested, however, this system is extremely slow, as are my other systems, during a restart, cold or reboot.

For example, on this last reboot from the time I clicked the "restart" button after installing ZoneAlarm to a clickable desktop took 8 minutes...........

Within approximately 45 seconds of clicking restart, I saw the manufacturers splash screen and the F2 setup and help options............

the screen went black except for a flashing cursor in the upper left hand corner for 6 minutes...........

then the Windows XP loading screen with the moving blue dot bar for 1 minute.......

then the logon window.....

and a few seconds later the normal desktop................

I'm just curious why the 6 minute delay, if you might have an idea??

Again Thanks for all your help the HJT Log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:49 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.440.com/twtd/today.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.yahoo.com/video/play?vid=337678&fr=yvmtf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/J...c5/&filename=jinstall-6u6-windows-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5989 bytes

Baabiouz · Jul 8, 2008

Hello.

Would the reason be installation of zonealarm? If you restart your computer now, will it take so long than last time?

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

or

Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

hillcountry · Jul 9, 2008

Hello,

I was beginning to think I was never going to be able to get back to this forum..........Zone Alarm is blocking (seemingly) every keystroke, well web site............

The bootup delay I was referring to I do not believe is related to Zone Alarm as it has not just started........I have just lived with the delay for sometime now................Probably a bad thing but I've gotten to the point I only reboot when there is a problem.......

OTCleanIT........installed and ran.....

System restore..........disabled and re-enabled

In IE the only change.........
Change the Navigate sub-frames across different domains to Prompt
This line was already set to "disabled".........changed to "Prompt"

Managed to get Spybot S&D downloaded and installed and running......(Hope I didn't allow some sites I should not have....ZA was blocking left and right)

Finally got SpywareBlaster downloaded installed and running......ZA blocking at every turn......

I guess my biggest question now is...........actually two questions.......

With ZoneAlarm when a site is blocked how can I determine if it is a needed site or not?

Is there any consensus on using FireFox as opposed to IE?

Thanks again for all your help.............

Baabiouz · Jul 9, 2008

Hello

It's normal that firewall blocks, you should allow firefox (or IE) to access the internet. i don't use zonealarm, so i don't know how it works. When you get the popup which says that zonealarm is blocking something, click "allow" (or something like that). Never allow things if you don't know what it is.

Here is one zonealarm guide:
http://www.markusjansson.net/eza.html

Baabiouz · Jul 18, 2008

-------

Help please....Spyware has taken over!

Baabiouz

Emeritus- Malware Team

hillcountry

New member

Baabiouz

Emeritus- Malware Team

hillcountry

New member

Baabiouz

Emeritus- Malware Team

hillcountry

New member

hillcountry

New member

Baabiouz

Emeritus- Malware Team

hillcountry

New member

Baabiouz

Emeritus- Malware Team

hillcountry

New member

Baabiouz

Emeritus- Malware Team

Baabiouz

Emeritus- Malware Team