Win Anti Spy Ware

Status
Not open for further replies.
I

iamthetboz

New member
My computer has been infected with Winantispyware. I cannot get rid of it. Please help. When I try to reboot, the computer restarts half way through and the only mode I can actually get booted is 'Safe Mode with Networking'. I've tried to uninstall all the associated programs but I'm not sure if its working or not. I still can't get it to boot in regular mode. I did get hijackthis to run in safe mode. I've attached that file. I'm not sure what else to do. Please help.
 
Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:26:57 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [vhilotgA] C:\WINDOWS\vhilotgA.exe
O4 - HKLM\..\Run: [{CF-F4-40-02-ZN}] C:\windows\system32\modsregq.exe SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\twinpndt.exe SKY009
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [SysDAFS.exe] C:\WINDOWS\system32\SysDAFS.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win19.tmp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [RemoveInstallPath] cmd.exe C:\WINDOWS\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\WinPop" > nul
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbelle.com/download_helper/Nyoko.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex/virtools/CacheManager.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vhilotg.exe (file missing)
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I'll try to help, but you have major problems. Please read this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_01\ <<< Java is badly out of date and likely the reason you are infected. Download the newest version and uninstall all old versions in Add Remove Programs.

You have trojans on board like this one:
c:\windows\system32\ldcore.dll
http://www.sophos.com/security/analyses/trojdloadraqg.html

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vhilotg.exe
Windows Overlay Components X (Random).exe Reported as the Trojan-Dropper.Win32.Agent.tb TROJAN! by Kaspersky Anti-Virus. Note: This trojan file is located in the Windows or Winnt folder. For more information on Trojan Droppers Click_Here

and many more infections, I am showing you this so you will know your security has been badly compromised, you may want to consider this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

At the very least you should pull the plug on this computer unless you have to be online during troubleshooting. If you wish to continue with the cleanup, then we will start like this:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
 
Safe Boot with Networking

That is the only mode I can get the computer to boot up in. Should I follow all your instructions in that mode?

Thanks,
-Tboz
 
Cannot uninstall Java

So since I can only boot into Safe Mode with Networking, I am unable to uninstall Java. I'm trying to get into Normal mode but so far no good. Any ideas?

Thanks,
-Tboz
 
Let's face facts, you have major issues and I am not sure malware is all of them. The fact you were running a very outdated version of Java may or may not be the reason you are infected, you are so let's try to deal with it. I would say you can wait to update Java, I am interested in if you were able to run combofix. If so, please post that combofix log and a new HJT log.

Here is one thing you can try that might get you out of safe mode:
How to get out of safe mode from the system configuration utility
If you use the system configuration utility to get into safe mMode you'll need to use it to get back out too.

Choose Start > Programs > Accessories > System Tools > System Information.

Choose Tools > System Configuration Utility.
On the General tab, Select Normal Startup -- Load Device Drivers and Software.
Click OK then restart Windows by clicking Yes in the System Settings Change dialog box.
Let me know if it works, and post those logs so I can see what we are up against.

Thanks

Thanks
 
This is pretty bad huh? Well now I cannot get the computer to boot in any mode. Is my best bet to just reinstall Windows? If I do that is there any way I can get some of the files off my hard drive? Mainly pictures, resumes, etc. All the music is still in the Ipod so I can probably load it from there. Am I totally screwed or is there a way to save some of my stuff?

By the way, thanks for all your help. I was close to throwing the computer out the window last night. Still might happen but hopefully it won't come to that. Please let me know what you think my best course of action is.

Thanks,
-Tboz
 
I was able to boot from my cdrom copy of Windows where I could run repair xp. That allowed me to get into DOS. From there I moved some drivers around which allowed me to get back into 'Safe Mode with Networking'. I ran the combofix which seems to have fixed some things. I can now get into Normal Mode. I've attached the combofix log and HJT log below. I feel like we've finally made some progress. At the very least, I should be able to get my files off the hard drive.

Please let me know what to do next. Thanks for all your guidance so far.

-Tboz
 
combofix log

ComboFix 07-08-04.3 - "Administrator" 2007-08-05 16:48:47.1 [GMT -5:00] - NTFS [SAFE MODE]
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\LOCALS~1\APPLIC~1\install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\.rdr.ini
C:\DOCUME~1\NETWOR~1\APPLIC~1\install.dat
C:\DOCUME~1\SaraS\APPLIC~1\..\err.log>>d-delA.cf
C:\DOCUME~1\SaraS\APPLIC~1\.rdr.ini
C:\DOCUME~1\SaraS\APPLIC~1\install.dat
C:\DOCUME~1\SaraS\APPLIC~1\Starware
C:\DOCUME~1\SaraS\APPLIC~1\Starware\Manager\ManagerOptions.xml
C:\DOCUME~1\SaraS\APPLIC~1\Starware\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\ppatch~1\m?iexec.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\MSN\vixyl83122.dll
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\WINDOWS\83122.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\crosof~1.net
C:\WINDOWS\csrss.exe
C:\WINDOWS\desktop.html
C:\WINDOWS\mgrs.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu27.exe
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\spooldr.exe
C:\WINDOWS\system32\awtqrqn.dll
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\b06FdUe
C:\WINDOWS\system32\b06FdUe\b06FdUe1083.exe
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\dllh8jkd1q1.exe
C:\WINDOWS\system32\dllh8jkd1q2.exe
C:\WINDOWS\system32\dllh8jkd1q5.exe
C:\WINDOWS\system32\dllh8jkd1q6.exe
C:\WINDOWS\system32\dllh8jkd1q7.exe
C:\WINDOWS\system32\dllh8jkd1q8.exe
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\drivers\asc3550u.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\exahqsno.exe
C:\WINDOWS\system32\hlpsrv.exe
C:\WINDOWS\system32\jkkjkig.dll
C:\WINDOWS\system32\khfghif.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\loftketd.dll
C:\WINDOWS\system32\mjejyysf.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\spooldr.sys
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\urqonnn.dll
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winfqk32.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wuulyhu.dll
C:\WINDOWS\system32\wvuvssp.dll
C:\WINDOWS\system32\X1
C:\WINDOWS\system32\X1\kmhp83122.exe
C:\WINDOWS\system32\X11
C:\WINDOWS\system32\X11\z553.exe
C:\WINDOWS\system32\X3
C:\WINDOWS\system32\X3\wr731.exe
C:\WINDOWS\system32\X7
C:\WINDOWS\system32\X9
C:\WINDOWS\system32\yabxy.dll
C:\WINDOWS\system32\yxbay.bak1
C:\WINDOWS\system32\yxbay.bak2
C:\WINDOWS\system32\yxbay.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm
C:\WINDOWS\wr.txt
C:\windows\xpupdate.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_APIMON
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\LEGACY_QIE28
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\ApiMon
-------\Net Agent
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))


2007-08-05 16:47 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 16:46 1,408,582 --a------ C:\ComboFix.exe
2007-08-04 18:08 <DIR> d-------- C:\WINDOWS\system32\drivers\bak
2007-08-04 17:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-07-31 22:45 93,696 --a------ C:\WINDOWS\system32\drvsat.dll
2007-07-31 22:45 <DIR> d-------- C:\DOCUME~1\SaraS\APPLIC~1\?ymbols
2007-07-31 22:30 125,504 --a--c--- C:\WINDOWS\system32\bhipvpus.dll
2007-07-31 19:44 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-31 16:30 168,960 --a------ C:\WINDOWS\system32\drivers\Qie28.sys
2007-07-31 16:17 168,960 --a------ C:\WINDOWS\system32\drivers\Xrx49.sys
2007-07-31 16:17 168,960 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2007-07-31 16:11 9,769 --a------ C:\WINDOWS\gsvjy0578.exe
2007-07-28 16:03 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-07-28 16:03 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-07-28 16:03 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-07-28 16:03 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-07-28 16:03 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-07-28 16:03 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-07-28 16:03 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-07-28 16:03 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-07-24 12:06 <DIR> d-------- C:\DOCUME~1\Tyler\APPLIC~1\MySpace
2007-07-05 00:06 294,912 --a------ C:\WINDOWS\Walgreens PhotoShow.scr
2007-07-05 00:06 <DIR> d-------- C:\DOCUME~1\SaraS\APPLIC~1\Simple Star
2007-07-05 00:06 <DIR> d-------- C:\Demo Album
2007-07-05 00:05 <DIR> d-------- C:\Program Files\Walgreens


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 17:04 375168 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-05 17:04 375168 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-31 22:26 --------- d-------- C:\Program Files\Yahoo!
2007-07-31 21:37 --------- d-------- C:\Program Files\MySpace
2007-07-31 16:16 --------- d-------- C:\Program Files\Windows NT
2007-07-31 01:54 13993410 -r-hs---- C:\AVG6DB_F.DAT
2007-07-28 21:34 --------- d-------- C:\Program Files\MSN Messenger
2007-07-28 04:06 135 --a------ C:\Program Files\page.html
2007-07-26 20:23 --------- d-------- C:\Program Files\OpenOffice.org1.1.1
2007-07-07 15:35 2983 --a------ C:\WINDOWS\mozver.dat
2007-06-25 08:54 53248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 08:53 53248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-06 03:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-03 20:21 8326 --a------ C:\WINDOWS\extend.dat
2007-05-16 10:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-03-06 22:15 1201917 --a------ C:\Program Files\wrar37b4.exe
2007-03-06 22:14 25755448 --a------ C:\Program Files\wmp11-windowsxp-x86-enu.exe
2007-03-06 20:06 6006304 --a------ C:\Program Files\Firefox Setup 2.0.0.2.exe
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-06-08 02:02 2048 --a------ C:\Program Files\func.exe
2006-01-22 14:25 112729 --a------ C:\Program Files\cddrv224.zip
2006-01-22 14:06 7180311 --a------ C:\Program Files\HandBrake-0.7.0-GUIAndCLI-20060115.zip
2001-09-27 18:51 44779 --a------ C:\Program Files\NLDS1XXW.INF
2001-08-27 16:40 940606 --a------ C:\Program Files\data1.cab
2001-08-27 16:40 526 --a------ C:\Program Files\layout.bin
2001-08-27 16:40 36731 --a------ C:\Program Files\data1.hdr
2001-08-27 16:40 296 --a------ C:\Program Files\Setup.ini
2001-08-27 16:40 1409627 --a------ C:\Program Files\data2.cab
2001-08-24 05:44 2632 --a------ C:\Program Files\YDSXGDK.INF
2001-06-13 09:41 142209 --a------ C:\Program Files\setup.inx
2000-11-14 02:05 131072 --a------ C:\Program Files\dsuninst.exe
2000-10-30 13:00 141 --a------ C:\Program Files\setup.inf
2000-05-16 15:36 139264 --a------ C:\Program Files\Setup.exe
2000-05-14 19:17 335626 --a------ C:\Program Files\ikernel.ex_
2000-04-01 22:00 1073 --a------ C:\Program Files\YDSXGDK.CAT
2000-04-01 22:00 1073 --a------ C:\Program Files\YDSDEV.CAT
1999-04-02 12:16 2417445 --a------ C:\Program Files\Dsxgwave.tbl

C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
359,808 2005-05-25 19:04:02 C:\WINDOWS\$hf_mig$\KB893066\SP2GDR\tcpip.sys
359,936 2005-05-25 19:07:12 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
339,968 2005-05-25 19:41:10 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
332,928 2002-08-29 06:58:12 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys.000
359,040 2004-08-04 06:14:40 C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
332,928 2002-08-29 06:58:12 C:\WINDOWS\$NtUninstallKB893066_0$\tcpip.sys
359,808 2005-05-25 19:04:02 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
359,040 2004-08-04 06:14:40 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
340,480 2006-01-13 01:13:17 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP1QFE\tcpip.sys
359,808 2006-01-13 02:28:14 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2GDR\tcpip.sys
360,448 2006-01-13 17:07:08 C:\WINDOWS\SoftwareDistribution\Download\e534ebaf021731fc8bec5e8193de9bb9\SP2QFE\tcpip.sys
375,168 2007-08-05 22:05:19 C:\WINDOWS\system32\dllcache\tcpip.sys
375,168 2007-08-05 22:05:21 C:\WINDOWS\system32\drivers\tcpip.sys
375,168 2007-08-04 22:52:01 C:\WINDOWS\system32\drivers\bak\tcpip.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_CC"="C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe" [2004-05-18 06:00]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"AtiPTA"="atiptaxx.exe" [2001-09-26 22:39 C:\WINDOWS\system32\atiptaxx.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-27 19:01]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 20:30]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"NBInstall"="C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe" [2007-07-31 11:32]
"vhilotgA"="C:\WINDOWS\vhilotgA.exe" []
"{CF-F4-40-02-ZN}"="C:\windows\system32\modsregq.exe" []
"g4356cbvy63"="C:\WINDOWS\g4356cbvy63" []
"SysDAFS.exe"="C:\WINDOWS\system32\SysDAFS.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-11-07 16:49]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2005-05-19 16:59]
"Scna"="C:\WINDOWS\CROSOF~1.NET\wowexec.exe" []
"Ownejdr"="C:\Program Files\Common Files\??pPatch\m?iexec.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"RemoveInstallPath"=cmd.exe C:\WINDOWS\system32\cmd.exe /c rmdir /S /Q "C:\PROGRA~1\WinPop" > nul

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6fc94ea-c64a-11da-9c33-005022491f7c}]
AutoRun\command- E:\JDLightning\Windows\JDLightning.exe


Contents of the 'Scheduled Tasks' folder
2007-07-30 15:57:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 17:04:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\wdfmzrx.exe [1968] 0x82FA6C10
C:\WINDOWS\wdfmzrx.exe [336] 0x82DFFAD0


scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\wdfmzrx.exe
C:\WINDOWS\system32\wdfmzrx.exe
**************************************************************************

Completion time: 2007-08-05 17:08:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-05 17:06

--- E O F ---
 
Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 17:13, on 2007-08-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wdfmzrx.exe
C:\WINDOWS\wdfmzrx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [vhilotgA] C:\WINDOWS\vhilotgA.exe
O4 - HKLM\..\Run: [{CF-F4-40-02-ZN}] C:\windows\system32\modsregq.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [SysDAFS.exe] C:\WINDOWS\system32\SysDAFS.exe
O4 - HKCU\..\Run: [DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Scna] "C:\WINDOWS\CROSOF~1.NET\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [Ownejdr] "C:\Program Files\Common Files\??pPatch\m?iexec.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinpndt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm035MGUS
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbelle.com/download_helper/Nyoko.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex/virtools/CacheManager.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 
Thanks for posting your information, we still have a ways to go as you see by the combofix report, but combofix did remove a load of junk. Let's see what we can clean with HJT, but I would like to see your uninstall list, like this:

First I need to show you this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_01\ <<< BADLY outdated Java and likely the reason you are infected. As soon as possible, you need to download the newest version and uninstall all old versions in Add Remove Programs.


1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\SaraS\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [vhilotgA] C:\WINDOWS\vhilotgA.exe
O4 - HKLM\..\Run: [{CF-F4-40-02-ZN}] C:\windows\system32\modsregq.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [SysDAFS.exe] C:\WINDOWS\system32\SysDAFS.exe
O4 - HKCU\..\Run: [Scna] "C:\WINDOWS\CROSOF~1.NET\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [Ownejdr] "C:\Program Files\Common Files\??pPatch\m?iexec.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinpndt.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035MGUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab G
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://miniclip.com/puzzlepirates/mi...GameLoader.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbelle.com/download_helper/Nyoko.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex...cheManager.CAB

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\CROSOF~1.NET\ <<< delete that folder

C:\WINDOWS\g4356cbvy63 <<< delete that file

C:\WINDOWS\vhilotgA.exe <<< delete that file

C:\WINDOWS\wdfmzrx.exe <<< delete that file

C:\DOCUMENTS & SETTINGS~1\SaraS\LOCALSETTINGS~1\Temp\ <<< delete the contents of that folder in red (not the folder)

C:\Program Files\Common Files\??pPatch\ <<< delete that folder

C:\WINDOWS\system32\dwdsregt.exe <<< delete that file

C:\windows\system32\modsregq.exe <<< delete that file

C:\WINDOWS\system32\SysDAFS.exe <<< delete that file

C:\WINDOWS\system32\twinpndt.exe <<< delete that file

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log , your uninstall list and let me know how we are doing.

Thanks
 
Last edited:
I had just updated Java from 1.4.2_01 to 1.6.0_02 after the last post. Attached is the unistall list from HJT. I'm still working on the other stuff.

Thanks,
-Tboz


Adobe Common File Installer
Adobe Dimensions 3.0
Adobe Flash Player 9 ActiveX
Adobe Help Center 2.0
Adobe PageMaker 7.0
Adobe Photoshop Album 2.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
Adobe Streamline 4.0
Ahead Nero - Burning Rom
AOL Instant Messenger
Apple Software Update
ArcSoft PhotoStudio 5.5
ATI Display Driver
Avery Wizard 1.1 for Microsoft Word 97
AVG 6.0 Anti-Virus - FREE Edition
Azureus
BitTorrent 3.4.2
Canon MP Navigator 3.0
Canon MP600
Canon MP600 User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint
CardRd81
CCScore
CR2
DesignPro 5.0 Media Edition
Desktop Weather by The Weather Channel
DiscWizard for Windows
Easy-WebPrint
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPRFO
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
ImageMixer VCD/DVD2 for OLYMPUS
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
Java(TM) 6 Update 2
Kodak EasyShare software
KSU
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash Player 8
Macromedia Shockwave Player
Memories Disc Creator 2.0
Mozilla Firefox (2.0.0.2)
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Netscape Browser (remove only)
Notifier
OLYMPUS Master
Opera
OTOY
OTtBP
OTtBPSDK
overland
Palm Desktop
PCDADDIN
PCDHELP
powerOne Personal v2.1.1 for Handhelds
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
ScanSoft OmniPage SE 4.0
SFR
SFR2
SHASTA
SimCity 3000
SKIN0001
SKINXSDK
TaxCut Deluxe 2005
The Sims Deluxe Edition
TypingMaster TypingTest
Viewpoint Media Player
VPRINTOL
Walgreens PhotoShow Express
Weather Services
WeatherBug
Windows Overlay Components
Winferno Security Scan
WinRAR archiver
WinZip
WIRELESS
YAMAHA DS-XG WDM
 
Please complete the last instructions before you start these:

Uninstall list:

AVG 6.0 Anti-Virus - FREE Edition <<< Obsolete
http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5

Viewpoint Media Player
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

That's all I see but I do not know all of your programs. You should look and investigate anything you do not know and uninstall anything you no longer use.

This is a problem from the combofix log:
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)

I have only run into one of these and we had to replace it manually. When you are ready, you can try System File Checker.
Here are two tutorials if you are not familiar with SFC.
http://dwightblackburn.com/winxp/
http://www.updatexp.com/scannow-sfc.html
If SFC finds a missing or corrupted Windows file (which this is) it should replace the infected file with one that is either stored on the computer or on the CD if none is stored on the computer.
We have to make sure that infected file is replaced, we can not run without it.

Combofix has pointed out these files as problems:
C:\WINDOWS\wdfmzrx.exe <<< this one is one the list to delete

C:\WINDOWS\system32\wdfmzrx.exe <<< this one we must scan to find out if it is good or bad (note it is in the System32 folder)
using this scanner: http://www.virustotal.com/
If it scans bad, delete it.

Thanks
 
I tried to delete all those files and folders but none of them were there. The temp file was the only one that had stuff I could delete but a handful of them gave an error about permissions. Should I just go ahead and run the ATF-Cleaner anyway?

-Tboz
 
Yes, just do your best, sometimes I remove them twice (better than missing them) HJT will kill them so they are gone later. Finish the instructions, post a new HJT log and let me know how the computer is running. I am down for the night when I send this post.

Thanks
 
I had some issues with that infected tcpip.sys file. I couldn't get SCF to run correctly because of the version of XP that I have on cd is not the same as the one installed on my machine. I tried copying over the i386 folder from the cd and pointing the SourcePath, but had some issues accessing the files from the cd. So I didn't do anything with that file. But here is the current HJT log. I haven't connected online from that computer yet. Do you think it is safe to do that yet?

Thanks,
-Tboz



Logfile of HijackThis v1.99.1
Scan saved at 21:19, on 2007-08-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 
Thanks for returning your information, let me say first that the HJT log appears to be clean of malware.

The next thing I would want to know is where is the CD for the Operating System that is on your computer?

Next I would like you to use one or more of these free online scanners to be positive we have an infected file:
C:\WINDOWS\system32\drivers\tcpip.sys <<< file to scan
Scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Post that information.

Next look to see if you have this folder on the computer: C:\I386

Thanks
 
I tried all three of those virus scan sites and each one went to 'cannot find server' when I submitted the file. So then I thought I'd email it to the www.virustotal.com site but my hotmail account did the same thing when I tried to attach the file. So then I thought I'd copy the file to a thumb drive and scan it from another computer. But I couldn't copy it and got the message 'The process cannot access this file because another process has locked a portion of the file'. Does this mean anything to you?

Thanks,
-Tboz
 
Status
Not open for further replies.
Back
Top