Virtumonde,Smithfraud, Zlob...Please help

dss log

I was able to install combofix and rename it, it deleted additional files, but same end result. Here is new dss log:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-26 02:42:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 128 MiB (256 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:42, on 2008-05-26
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: mkrndofl - {4F6DD2F9-A353-484A-B35E-C4ED0211097F} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [6ce633bc] rundll32.exe "C:\WINNT\system32\whnbucpy.dll",b
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O21 - SSODL: wetkadmr - {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 3153 bytes

-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 01:02:33 0 d-------- C:\Combo-Fix
2008-05-25 23:56:17 0 --a------ C:\WINNT\nsreg.dat
2008-05-25 23:56:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-22 10:07:46 53248 --a------ C:\WINNT\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-22 10:01:09 68096 --a------ C:\WINNT\zip.exe
2008-05-22 10:01:09 49152 --a------ C:\WINNT\VFind.exe
2008-05-22 10:01:09 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-22 10:01:09 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-22 10:01:09 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-22 10:01:09 98816 --a------ C:\WINNT\sed.exe
2008-05-22 10:01:09 80412 --a------ C:\WINNT\grep.exe
2008-05-22 10:01:09 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-22 09:15:55 1204514 ---h----- C:\WINNT\ShellIconCache
2008-05-21 11:17:17 396288 --a------ C:\WINNT\HijackThis.exe <HIJACK~1.EXE> <Not Verified; Trend Micro Inc.; HijackThis>
2008-05-19 16:27:19 0 d-------- C:\Program Files\Trend Micro
2008-05-19 16:12:33 614672 --a------ C:\WINNT\system32\mswstr10.dll <Not Verified; Microsoft Corporation; Microsoft (R) Jet>
2008-05-15 15:11:53 0 d--h----- C:\WINNT\PIF
2008-05-13 21:45:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-10 09:53:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-05-08 21:55:18 1 --a------ C:\WINNT\system32\kr_done1de
2008-05-08 21:54:55 90112 --a------ C:\WINNT\knxsrgte.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-21 09:58:00 0 d-------- C:\Program Files\Accessories
2008-05-10 13:09:16 6892 --a------ C:\Documents and Settings\Administrator\Application Data\update.log


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [99-11-30 18:40 C:\WINNT\system32\tp4mon.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"6ce633bc"="C:\WINNT\system32\whnbucpy.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MalWarrior"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wetkadmr"= {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll [ ]
"tdomgafw"= {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-05-26 02:43:09 ------------
 
Hi

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
 
rapport.txt log & new dss

Hi

No problems with the smitfraud fix. Following is that log and a new dss. Thanks!!!!
SmitFraudFix v2.323

Scan done at 21:24:14.00, Mon 2008-05-26
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Policies.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINNT\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-26 21:29:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 128 MiB (256 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:29:32, on 2008-05-26
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Policies.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: mkrndofl - {4F6DD2F9-A353-484A-B35E-C4ED0211097F} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [6ce633bc] rundll32.exe "C:\WINNT\system32\whnbucpy.dll",b
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O21 - SSODL: wetkadmr - {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 3321 bytes

-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 21:24:19 1382 --a------ C:\WINNT\system32\tmp.reg
2008-05-26 21:23:45 25600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-05-26 21:23:45 289144 --a------ C:\WINNT\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-26 21:23:45 86528 --a------ C:\WINNT\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-26 21:23:45 288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-26 21:23:45 53248 --a------ C:\WINNT\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-26 21:23:45 82944 --a------ C:\WINNT\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-26 21:23:45 51200 --a------ C:\WINNT\system32\dumphive.exe
2008-05-26 21:23:45 82944 --a------ C:\WINNT\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-26 01:02:33 0 d-------- C:\Combo-Fix
2008-05-25 23:56:17 0 --a------ C:\WINNT\nsreg.dat
2008-05-25 23:56:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-22 10:07:46 53248 --a------ C:\WINNT\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-22 10:01:09 68096 --a------ C:\WINNT\zip.exe
2008-05-22 10:01:09 49152 --a------ C:\WINNT\VFind.exe
2008-05-22 10:01:09 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-22 10:01:09 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-22 10:01:09 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-22 10:01:09 98816 --a------ C:\WINNT\sed.exe
2008-05-22 10:01:09 80412 --a------ C:\WINNT\grep.exe
2008-05-22 10:01:09 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-22 09:15:55 1204514 ---h----- C:\WINNT\ShellIconCache
2008-05-21 11:17:17 396288 --a------ C:\WINNT\HijackThis.exe <HIJACK~1.EXE> <Not Verified; Trend Micro Inc.; HijackThis>
2008-05-19 16:27:19 0 d-------- C:\Program Files\Trend Micro
2008-05-19 16:12:33 614672 --a------ C:\WINNT\system32\mswstr10.dll <Not Verified; Microsoft Corporation; Microsoft (R) Jet>
2008-05-15 15:11:53 0 d--h----- C:\WINNT\PIF
2008-05-13 21:45:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-10 09:53:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-05-08 21:55:18 1 --a------ C:\WINNT\system32\kr_done1de
2008-05-08 21:54:55 90112 --a------ C:\WINNT\knxsrgte.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-21 09:58:00 0 d-------- C:\Program Files\Accessories
2008-05-10 13:09:16 6892 --a------ C:\Documents and Settings\Administrator\Application Data\update.log


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [99-11-30 18:40 C:\WINNT\system32\tp4mon.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"6ce633bc"="C:\WINNT\system32\whnbucpy.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MalWarrior"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wetkadmr"= {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll [ ]
"tdomgafw"= {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-05-26 21:30:20 ------------
 
Hi

OK, I looks that there are only leftovers which is good.

Open HijackThis, click do a system scan only and checkmark these:

O3 - Toolbar: mkrndofl - {4F6DD2F9-A353-484A-B35E-C4ED0211097F} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [6ce633bc] rundll32.exe "C:\WINNT\system32\whnbucpy.dll",b
O4 - HKCU\..\Run: [MalWarrior] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe" /autorun
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O21 - SSODL: wetkadmr - {686CD3DA-14C3-44F9-A3B5-97CDD73B06EA} - C:\WINNT\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B66100BA-AA83-44C1-8586-D79BA1852430} - C:\WINNT\tdomgafw.dll (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

Close all windows including browser and press fix checked.

Reboot.

Delete these:

C:\WINNT\system32\kr_done1de
C:\WINNT\knxsrgte.exe

Empty Recycle Bin.

Re-run dss.

Post a fresh dss log.
 
New DSS Log

HI

Looks better! Thanks so much for all your help...


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-27 22:50:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 128 MiB (256 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50:55, on 2008-05-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 2245 bytes

-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-26 21:24:19 1382 --a------ C:\WINNT\system32\tmp.reg
2008-05-26 21:23:45 25600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-05-26 21:23:45 289144 --a------ C:\WINNT\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-26 21:23:45 86528 --a------ C:\WINNT\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-26 21:23:45 288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-26 21:23:45 53248 --a------ C:\WINNT\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-26 21:23:45 82944 --a------ C:\WINNT\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-26 21:23:45 51200 --a------ C:\WINNT\system32\dumphive.exe
2008-05-26 21:23:45 82944 --a------ C:\WINNT\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-26 01:02:33 0 d-------- C:\Combo-Fix
2008-05-25 23:56:17 0 --a------ C:\WINNT\nsreg.dat
2008-05-25 23:56:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-22 10:07:46 53248 --a------ C:\WINNT\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-22 10:01:09 68096 --a------ C:\WINNT\zip.exe
2008-05-22 10:01:09 49152 --a------ C:\WINNT\VFind.exe
2008-05-22 10:01:09 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-22 10:01:09 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-22 10:01:09 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-22 10:01:09 98816 --a------ C:\WINNT\sed.exe
2008-05-22 10:01:09 80412 --a------ C:\WINNT\grep.exe
2008-05-22 10:01:09 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-22 09:15:55 1205012 ---h----- C:\WINNT\ShellIconCache
2008-05-21 11:17:17 396288 --a------ C:\WINNT\HijackThis.exe <HIJACK~1.EXE> <Not Verified; Trend Micro Inc.; HijackThis>
2008-05-19 16:27:19 0 d-------- C:\Program Files\Trend Micro
2008-05-19 16:12:33 614672 --a------ C:\WINNT\system32\mswstr10.dll <Not Verified; Microsoft Corporation; Microsoft (R) Jet>
2008-05-15 15:11:53 0 d--h----- C:\WINNT\PIF
2008-05-13 21:45:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-10 09:53:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

2008-05-21 09:58:00 0 d-------- C:\Program Files\Accessories
2008-05-10 13:09:16 6892 --a------ C:\Documents and Settings\Administrator\Application Data\update.log


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [99-11-30 18:40 C:\WINNT\system32\tp4mon.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-05-27 22:51:28 ------------
 
Hi

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Post back a fresh HijackThis log :)
 
052808 HJT Log

Hi

Following is HJT log....any cause for concern?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:06, on 2008-05-28
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 2255 bytes
 
Hi

You didn't install any antivirus.

Please install one, post back a fresh HijackThis log and we'll continue after that :)
 
Hi

Well that is then a reason :)

Reboot and post back a fresh HijackThis log, please.
 
ok..here we go
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:34, on 2008-05-28
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 2803 bytes
 
Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)
    Kas-SaveReport-1.gif
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)
    Kas-Savetxt.gif
  • Now click on the Save as Text button
  • Savethe file to your desktop.
  • Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
HJT Log & Kaspersky scan

Hi
Following are both requested posts...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:34:45, on 2008-05-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203851135588
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 3055 bytes


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-30 13:32:34
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 813686
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 13883
Number of viruses found: 11
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 06:32:54

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ICD1.tmp\AntvrsInstall.exe Infected: not-a-virus:Downloader.Win32.FraudLoad.ar skipped
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ms1210301710.exe Infected: Trojan-Dropper.Win32.Agent.rky skipped
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\printsrv32.exe Infected: Trojan.Win32.Agent.lsr skipped
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\setup_526_1_.exe Infected: Trojan-Downloader.Win32.FraudLoad.ym skipped
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vifmykoc.exe Infected: Trojan.Win32.Agent.gmn skipped
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zhm14q9o.dat/stream/Script Infected: Trojan.Win32.Vapsup.epc skipped
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zhm14q9o.dat/stream Infected: Trojan.Win32.Vapsup.epc skipped
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zhm14q9o.dat NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20080526024213\backup\WINNT\Downloaded Program Files\antvrs.exe Infected: not-a-virus:FraudTool.Win32.AntiVirus2008.w skipped
C:\Deckard\System Scanner\20080526024213\backup\WINNT\Downloaded Program Files\AntvrsInstall.exe Infected: not-a-virus:Downloader.Win32.FraudLoad.ar skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\QooBox\Quarantine\C\WINNT\qvlbodmnqse.dll.vir Infected: Trojan.Win32.Vapsup.eyk skipped
C:\QooBox\Quarantine\C\WINNT\system32\awttutQh.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINNT\system32\pimixscc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.trs skipped
C:\QooBox\Quarantine\C\WINNT\tdomgafw.dll.vir Infected: Trojan.Win32.Vapsup.eyk skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Downloaded Program Files\CONFLICT.1\AntvrsInstall.exe Infected: not-a-virus:Downloader.Win32.FraudLoad.ar skipped
C:\WINNT\SoftwareDistribution\EventCache\{C9C74884-2B68-4225-9BD7-A6305815CD04}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\Tasks\Disk Cleanup.job Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Hi

Empty these folders:

C:\QooBox\Quarantine\
C:\Deckard\System Scanner\20080526024213\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\

Delete these:

C:\Deckard\System Scanner\20080526024213\backup\WINNT\Downloaded Program Files\antvrs.exe
C:\Deckard\System Scanner\20080526024213\backup\WINNT\Downloaded Program Files\AntvrsInstall.exe
C:\WINNT\Downloaded Program Files\CONFLICT.1

Empty Recycle Bin.

Still problems?
 
Files emptied/deleted

Hi
I think it's running better...been afraid to try, really. I still have a "backups" file on my desk top that I didn't create and that appeared in the last week. May I post another Kaspersky scan?
 
Hi

That is HijackThis backup folder.

You can delete it a bit later.

Any other concerns?
 
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top