XP SecurityCenter Infection

[Nerdenwerfer]

Hi to the good people at Spybot,

I have a piece of Malware that has installed a persistent icon (white cross on red disc) in the desktop tray that activates a typical scamware pop up to deal with itself (the above named XP Security Centre). AdAware has not detected it.

I have followed the instruction in the stickes above (ie. Steps before you post) with the following results:

1. Spybot S&D has installed on the desktop but does not open. By right clicking and selecting scan it will perform what appears to be a scan but detects nothing. It will not open to its full menu (I have installed it on another system to check what its functionality should be). I have downloded several fresh versions and tried name changing the exe. All to no avail.

2. HJT like S&D has installed to the desktop but will not open. Again I mirrored the installation on the other machine and it logs to its hearts content.

Accordingly I am unable to post the log and request a where to from here?

 

[Baabiouz]

Hello Nerdenwerfer

Have you tried to rename Hijackthis.exe example to Nerdenwerfer.exe and run?

If it doesn't work please try Combofix:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Please try run HijackThis and post Combofix log and HijackThis log back here

 

[Nerdenwerfer]

Thanks Baabiouz,

The rename on HJT worked this time. Please see log file below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:08 PM, on 25/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\lotus\notes\ntmulti.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\TEMP\7E95.tmp
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe
C:\Program Files\Trend Micro\Nerdenwerfer\Nerdenwerfer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=0080528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=0080528
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [XP SecurityCenter] "C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe" /hide
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O17 - HKLM\Software\..\Telephony: DomainName = agentsalesdm.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7787 bytes


Thanks again

 

[Baabiouz]

Hello

Step #1
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

XPSecurityCenter

This next may not be bad, but there is more better softwares:
AdwareAlert

If you feel you don't need that, please remove it. We'll Download one better tool soon (that doesn't have realtime protection but your Spybot and Symantec will be enough).

Step #2
Please disable Teatimer as it may interfere with the fix.
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in TeaTimer.

Step #3
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Step #4
Please post Combofix log and a fresh HijackThis log back here

 

[Nerdenwerfer]

Thanks Baabiouz,

I've done as follows:

1. XP Security Centre (which is the Malware) did not appear on the programs list but it was definitely still there.

2. As stated previously I cannot acess the Spy Bot main screen (appears to be blocked by the malware) so I uninstalled spy bot instead.

3. Was able to run both ComboFix and HJT successfully to generate the reports below. I might add that after running ComboFix that the pop ups have disappeared and the Symantec will again update and scan (previously also being blocked).

ComboFix 08-07-27.5 - agent1 2008-07-28 11:36:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1606 [GMT 8:00]
Running from: C:\Documents and Settings\agent1\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\akit.com
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\dadivesap.com
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\dizuhy._sy
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\keja._dl
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\litozucew.sys
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\ocajof._dl
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\okodowih.bin
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\tidobu._sy
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\wybid.sys
C:\Documents and Settings\agent1\Local Settings\Temporary Internet Files\ykab.com
C:\Program Files\XPSecurityCenter
C:\Program Files\XPSecurityCenter\data\daily.cvd
C:\Program Files\XPSecurityCenter\htmlayout.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll
C:\Program Files\XPSecurityCenter\pthreadVC2.dll
C:\Program Files\XPSecurityCenter\un.ico
C:\Program Files\XPSecurityCenter\unzip32.dll
C:\Program Files\XPSecurityCenter\XP_SecurityCenter.cfg
C:\Program Files\XPSecurityCenter\XPSecurityCenter.dll
C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe
C:\WINDOWS\buritos.exe
C:\WINDOWS\karina.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\buritos.exe
C:\WINDOWS\system32\crypts.dll
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-25 15:17 . 2008-07-25 15:17 19,634 --a------ C:\Documents and Settings\agent1\Application Data\ytacun.scr
2008-07-25 15:17 . 2008-07-25 15:17 18,679 --a------ C:\WINDOWS\ovuvac.ban
2008-07-25 15:17 . 2008-07-25 15:17 17,784 --a------ C:\Documents and Settings\agent1\Application Data\yhiq.bat
2008-07-25 15:17 . 2008-07-25 15:17 16,151 --a------ C:\WINDOWS\system32\ereferogab.reg
2008-07-25 15:17 . 2008-07-25 15:17 15,651 --a------ C:\WINDOWS\apuk.dat
2008-07-25 15:17 . 2008-07-25 15:17 15,333 --a------ C:\Program Files\Common Files\exuwoxah.vbs
2008-07-25 15:17 . 2008-07-25 15:17 15,323 --a------ C:\Documents and Settings\agent1\Application Data\ifyhoryb.bin
2008-07-25 15:17 . 2008-07-25 15:17 14,576 --a------ C:\WINDOWS\system32\agusedajuq._sy
2008-07-25 15:17 . 2008-07-25 15:17 11,810 --a------ C:\WINDOWS\oxuci.vbs
2008-07-25 15:17 . 2008-07-25 15:17 11,615 --a------ C:\WINDOWS\vidihawuq.scr
2008-07-25 15:17 . 2008-07-25 15:17 10,966 --a------ C:\WINDOWS\ihobot.reg
2008-07-25 15:17 . 2008-07-25 15:17 10,856 --a------ C:\Documents and Settings\agent1\Application Data\zysuben.sys
2008-07-25 15:17 . 2008-07-25 15:17 10,627 --a------ C:\WINDOWS\nejufemigy.dll
2008-07-25 14:44 . 2008-07-25 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 14:00 . 2008-07-28 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 11:06 . 2008-07-25 11:06 19,743 --a------ C:\Documents and Settings\agent1\Application Data\arumif.dat
2008-07-25 11:06 . 2008-07-25 11:06 19,674 --a------ C:\Documents and Settings\agent1\Application Data\juzev.dat
2008-07-25 11:06 . 2008-07-25 11:06 19,541 --a------ C:\Program Files\Common Files\deri.pif
2008-07-25 11:06 . 2008-07-25 11:06 19,182 --a------ C:\Documents and Settings\agent1\Application Data\myhajuso.reg
2008-07-25 11:06 . 2008-07-25 11:06 18,560 --a------ C:\WINDOWS\system32\ujipylamuq.exe
2008-07-25 11:06 . 2008-07-25 11:06 18,407 --a------ C:\WINDOWS\system32\igabo.dl
2008-07-25 11:06 . 2008-07-25 11:06 18,126 --a------ C:\WINDOWS\system32\axukivi.vbs
2008-07-25 11:06 . 2008-07-25 11:06 12,961 --a------ C:\Program Files\Common Files\letyz.sys
2008-07-25 11:06 . 2008-07-25 11:06 12,647 --a------ C:\Documents and Settings\agent1\Application Data\ovojup.bin
2008-07-25 11:06 . 2008-07-25 11:06 12,489 --a------ C:\Program Files\Common Files\japuseji.scr
2008-07-25 11:06 . 2008-07-25 11:06 12,480 --a------ C:\WINDOWS\ulapu.reg
2008-07-25 11:06 . 2008-07-25 11:06 10,728 --a------ C:\WINDOWS\okevazus.lib
2008-07-25 09:45 . 2008-07-25 09:45 18,430 --a------ C:\WINDOWS\cigid.dl
2008-07-25 09:45 . 2008-07-25 09:45 18,225 --a------ C:\Documents and Settings\All Users\Application Data\xukevomuwu.vbs
2008-07-25 09:45 . 2008-07-25 09:45 18,002 --a------ C:\Documents and Settings\All Users\Application Data\oloqyfumih.dat
2008-07-25 09:45 . 2008-07-25 09:45 14,566 --a------ C:\WINDOWS\tavateby._dl
2008-07-25 09:45 . 2008-07-25 09:45 13,701 --a------ C:\WINDOWS\patebygewi.inf
2008-07-25 09:45 . 2008-07-25 09:45 12,823 --a------ C:\Documents and Settings\agent1\Application Data\ageviqa.dll
2008-07-25 09:45 . 2008-07-25 09:45 12,353 --a------ C:\Program Files\Common Files\axymy.com
2008-07-25 09:45 . 2008-07-25 09:45 12,348 --a------ C:\Documents and Settings\All Users\Application Data\leba.dat
2008-07-25 09:45 . 2008-07-25 09:45 10,758 --a------ C:\Documents and Settings\All Users\Application Data\vizivenel.vbs
2008-07-25 09:45 . 2008-07-25 09:45 10,467 --a------ C:\Documents and Settings\agent1\Application Data\moxa.dll
2008-07-25 09:45 . 2008-07-25 09:45 10,319 --a------ C:\Program Files\Common Files\ruzin.exe
2008-07-25 09:45 . 2008-07-25 09:45 10,085 --a------ C:\WINDOWS\xajo.pif
2008-07-25 09:38 . 2008-07-25 09:38 17,394 --a------ C:\Documents and Settings\agent1\Application Data\aboromy.scr
2008-07-25 09:38 . 2008-07-25 09:38 15,666 --a------ C:\WINDOWS\system32\yvewa.pif
2008-07-25 09:38 . 2008-07-25 09:38 15,575 --a------ C:\Program Files\Common Files\bavyda.vbs
2008-07-25 09:38 . 2008-07-25 09:38 15,037 --a------ C:\WINDOWS\yfevu.lib
2008-07-25 09:38 . 2008-07-25 09:38 14,725 --a------ C:\WINDOWS\niquf.dat
2008-07-25 09:38 . 2008-07-25 09:38 14,192 --a------ C:\WINDOWS\pohygolaji.vbs
2008-07-25 09:38 . 2008-07-25 09:38 13,289 --a------ C:\Program Files\Common Files\ivoxot.scr
2008-07-25 09:38 . 2008-07-25 09:38 12,841 --a------ C:\WINDOWS\system32\mife.bat
2008-07-25 09:38 . 2008-07-25 09:38 12,738 --a------ C:\WINDOWS\rosyk.sys
2008-07-25 09:38 . 2008-07-25 09:38 12,663 --a------ C:\WINDOWS\ihubik.exe
2008-07-25 09:38 . 2008-07-25 09:38 12,600 --a------ C:\Program Files\Common Files\zorysazaw.sys
2008-07-25 09:38 . 2008-07-25 09:38 11,716 --a------ C:\WINDOWS\system32\puryrif.com
2008-07-25 09:28 . 2008-07-25 09:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-25 08:46 . 2008-07-25 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 08:19 . 2008-07-25 08:19 <DIR> d-------- C:\Documents and Settings\agent1\Application Data\AdwareAlert
2008-07-24 12:26 . 2008-07-24 12:26 16,654 --a------ C:\Documents and Settings\agent1\Application Data\uxekit.dll
2008-07-24 12:26 . 2008-07-24 12:26 13,788 --a------ C:\Documents and Settings\All Users\Application Data\nujiko.com
2008-07-24 12:26 . 2008-07-24 12:26 12,522 --a------ C:\Documents and Settings\All Users\Application Data\yjeqaz.bin
2008-07-21 17:39 . 2008-07-21 17:39 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-21 17:33 . 2008-07-21 17:33 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 03:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-25 07:17 10,951 ----a-w C:\Program Files\Common Files\qiquw.ban
2008-07-25 07:17 10,050 ----a-w C:\Program Files\Common Files\imyhi.ban
2008-07-25 01:38 15,691 ----a-w C:\Program Files\Common Files\awozev.lib
2008-07-24 04:26 19,698 ----a-w C:\WINDOWS\yhaxozy.reg
2008-07-24 04:26 17,401 ----a-w C:\WINDOWS\hoxymuh.bat
2008-07-24 04:26 15,810 ----a-w C:\WINDOWS\lefob.bat
2008-07-24 04:26 15,255 ----a-w C:\Program Files\Common Files\urorebip.db
2008-07-24 04:26 14,792 ----a-w C:\WINDOWS\bypenahi.exe
2008-07-24 04:26 13,308 ----a-w C:\WINDOWS\rofe.pif
2008-07-24 04:26 11,369 ----a-w C:\WINDOWS\badabew.sys
2008-07-21 09:39 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-21 09:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-20 23:43 --------- d-----w C:\Program Files\Google
2008-07-17 08:36 --------- d-----w C:\Program Files\Java
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 04:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-08 03:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-08 03:18 --------- d-----w C:\Program Files\Symantec
2008-06-08 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-08 03:16 --------- d-----w C:\Documents and Settings\administrator.AGENTSALESDM\Application Data\CyberLink
2008-06-08 03:01 --------- d-----w C:\Documents and Settings\agent1\Application Data\CyberLink
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-18 16:47 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-17 13:23 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-17 13:23 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-17 13:23 137752]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 19:12 1036288]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 11:56 124200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2005-06-23 19:27 85696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-07-23 14:49]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 14:30]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 17:50]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]

*Newly Created Service* - ERASERUTILDRV10741
.
Contents of the 'Scheduled Tasks' folder

2008-07-27 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
- C:\Program Files\AdwareAlert\AdwareAlert.exe []

2008-07-27 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
- C:\Program Files\AdwareAlert []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdwareAlert - C:\Program Files\AdwareAlert\AdwareAlert.exe
HKLM-Run-XP SecurityCenter - C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 11:38:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
.
**************************************************************************
.
Completion time: 2008-07-28 11:39:29 - machine was rebooted [agent1]
ComboFix-quarantined-files.txt 2008-07-28 03:39:26

Pre-Run: 63,550,902,272 bytes free
Post-Run: 63,714,729,984 bytes free

223 --- E O F --- 2008-07-21 23:44:55


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:40 AM, on 28/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\lotus\notes\ntmulti.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\Nerdenwerfer\Nerdenwerfer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=0080528
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O17 - HKLM\Software\..\Telephony: DomainName = agentsalesdm.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6827 bytes

 

[Baabiouz]

Hello

Step #1
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,

File::
C:\Documents and Settings\agent1\Application Data\ytacun.scr
C:\WINDOWS\ovuvac.ban
C:\Documents and Settings\agent1\Application Data\yhiq.bat
C:\WINDOWS\system32\ereferogab.reg
C:\WINDOWS\apuk.dat
C:\Program Files\Common Files\exuwoxah.vbs
C:\Documents and Settings\agent1\Application Data\ifyhoryb.bin
C:\WINDOWS\system32\agusedajuq._sy
C:\WINDOWS\oxuci.vbs
C:\WINDOWS\vidihawuq.scr
C:\WINDOWS\ihobot.reg
C:\Documents and Settings\agent1\Application Data\zysuben.sys
C:\WINDOWS\nejufemigy.dll
C:\Documents and Settings\agent1\Application Data\arumif.dat
C:\Documents and Settings\agent1\Application Data\juzev.dat
C:\Program Files\Common Files\deri.pif
C:\Documents and Settings\agent1\Application Data\myhajuso.reg
C:\WINDOWS\system32\ujipylamuq.exe
C:\WINDOWS\system32\igabo.dl
C:\WINDOWS\system32\axukivi.vbs
C:\Program Files\Common Files\letyz.sys
C:\Documents and Settings\agent1\Application Data\ovojup.bin
C:\Program Files\Common Files\japuseji.scr
C:\WINDOWS\ulapu.reg
C:\WINDOWS\okevazus.lib
C:\WINDOWS\cigid.dl
C:\Documents and Settings\All Users\Application Data\xukevomuwu.vbs
C:\Documents and Settings\All Users\Application Data\oloqyfumih.dat
C:\WINDOWS\tavateby._dl
C:\WINDOWS\patebygewi.inf
C:\Documents and Settings\agent1\Application Data\ageviqa.dll
C:\Program Files\Common Files\axymy.com
C:\Documents and Settings\All Users\Application Data\leba.dat
C:\Documents and Settings\All Users\Application Data\vizivenel.vbs
C:\Documents and Settings\agent1\Application Data\moxa.dll
C:\Program Files\Common Files\ruzin.exe
C:\WINDOWS\xajo.pif
C:\Documents and Settings\agent1\Application Data\aboromy.scr
C:\WINDOWS\system32\yvewa.pif
C:\Program Files\Common Files\bavyda.vbs
C:\WINDOWS\yfevu.lib
C:\WINDOWS\niquf.dat
C:\WINDOWS\pohygolaji.vbs
C:\Program Files\Common Files\ivoxot.scr
C:\WINDOWS\system32\mife.bat
C:\WINDOWS\rosyk.sys
C:\WINDOWS\ihubik.exe
C:\Program Files\Common Files\zorysazaw.sys
C:\WINDOWS\system32\puryrif.com
C:\Documents and Settings\agent1\Application Data\uxekit.dll
C:\Documents and Settings\All Users\Application Data\nujiko.com
C:\Documents and Settings\All Users\Application Data\yjeqaz.bin
C:\Program Files\Common Files\qiquw.ban
C:\Program Files\Common Files\imyhi.ban
C:\Program Files\Common Files\awozev.lib
C:\WINDOWS\yhaxozy.reg
C:\WINDOWS\hoxymuh.bat
C:\WINDOWS\lefob.bat
C:\Program Files\Common Files\urorebip.db
C:\WINDOWS\bypenahi.exe
C:\WINDOWS\rofe.pif
C:\WINDOWS\badabew.sys
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Step #2
Please download ATF-cleaner and save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  If you use Firefox browser:
  
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  If you use Opera browser:
  
• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Step #3
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  Update Malwarebytes' Anti-Malware
  Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
  Note:
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
• Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Step #4
Please post Combofix log, Mbam log and a fresh HijackThis log back here

 

[Nerdenwerfer]

Logs as instructed

Hi Baabiouz,

Please find below the logs generated from the above.

ComboFix 08-07-27.5 - agent1 2008-07-29 9:22:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1501 [GMT 8:00]
Running from: C:\Documents and Settings\agent1\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\agent1\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\agent1\Application Data\aboromy.scr
C:\Documents and Settings\agent1\Application Data\ageviqa.dll
C:\Documents and Settings\agent1\Application Data\arumif.dat
C:\Documents and Settings\agent1\Application Data\ifyhoryb.bin
C:\Documents and Settings\agent1\Application Data\juzev.dat
C:\Documents and Settings\agent1\Application Data\moxa.dll
C:\Documents and Settings\agent1\Application Data\myhajuso.reg
C:\Documents and Settings\agent1\Application Data\ovojup.bin
C:\Documents and Settings\agent1\Application Data\uxekit.dll
C:\Documents and Settings\agent1\Application Data\yhiq.bat
C:\Documents and Settings\agent1\Application Data\ytacun.scr
C:\Documents and Settings\agent1\Application Data\zysuben.sys
C:\Documents and Settings\All Users\Application Data\leba.dat
C:\Documents and Settings\All Users\Application Data\nujiko.com
C:\Documents and Settings\All Users\Application Data\oloqyfumih.dat
C:\Documents and Settings\All Users\Application Data\vizivenel.vbs
C:\Documents and Settings\All Users\Application Data\xukevomuwu.vbs
C:\Documents and Settings\All Users\Application Data\yjeqaz.bin
C:\Program Files\Common Files\awozev.lib
C:\Program Files\Common Files\axymy.com
C:\Program Files\Common Files\bavyda.vbs
C:\Program Files\Common Files\deri.pif
C:\Program Files\Common Files\exuwoxah.vbs
C:\Program Files\Common Files\imyhi.ban
C:\Program Files\Common Files\ivoxot.scr
C:\Program Files\Common Files\japuseji.scr
C:\Program Files\Common Files\letyz.sys
C:\Program Files\Common Files\qiquw.ban
C:\Program Files\Common Files\ruzin.exe
C:\Program Files\Common Files\urorebip.db
C:\Program Files\Common Files\zorysazaw.sys
C:\WINDOWS\apuk.dat
C:\WINDOWS\badabew.sys
C:\WINDOWS\bypenahi.exe
C:\WINDOWS\cigid.dl
C:\WINDOWS\hoxymuh.bat
C:\WINDOWS\ihobot.reg
C:\WINDOWS\ihubik.exe
C:\WINDOWS\lefob.bat
C:\WINDOWS\nejufemigy.dll
C:\WINDOWS\niquf.dat
C:\WINDOWS\okevazus.lib
C:\WINDOWS\ovuvac.ban
C:\WINDOWS\oxuci.vbs
C:\WINDOWS\patebygewi.inf
C:\WINDOWS\pohygolaji.vbs
C:\WINDOWS\rofe.pif
C:\WINDOWS\rosyk.sys
C:\WINDOWS\system32\agusedajuq._sy
C:\WINDOWS\system32\axukivi.vbs
C:\WINDOWS\system32\ereferogab.reg
C:\WINDOWS\system32\igabo.dl
C:\WINDOWS\system32\mife.bat
C:\WINDOWS\system32\puryrif.com
C:\WINDOWS\system32\ujipylamuq.exe
C:\WINDOWS\system32\yvewa.pif
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
C:\WINDOWS\tavateby._dl
C:\WINDOWS\ulapu.reg
C:\WINDOWS\vidihawuq.scr
C:\WINDOWS\xajo.pif
C:\WINDOWS\yfevu.lib
C:\WINDOWS\yhaxozy.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\agent1\Application Data\aboromy.scr
C:\Documents and Settings\agent1\Application Data\ageviqa.dll
C:\Documents and Settings\agent1\Application Data\arumif.dat
C:\Documents and Settings\agent1\Application Data\ifyhoryb.bin
C:\Documents and Settings\agent1\Application Data\juzev.dat
C:\Documents and Settings\agent1\Application Data\moxa.dll
C:\Documents and Settings\agent1\Application Data\myhajuso.reg
C:\Documents and Settings\agent1\Application Data\ovojup.bin
C:\Documents and Settings\agent1\Application Data\uxekit.dll
C:\Documents and Settings\agent1\Application Data\yhiq.bat
C:\Documents and Settings\agent1\Application Data\ytacun.scr
C:\Documents and Settings\agent1\Application Data\zysuben.sys
C:\Documents and Settings\All Users\Application Data\leba.dat
C:\Documents and Settings\All Users\Application Data\nujiko.com
C:\Documents and Settings\All Users\Application Data\oloqyfumih.dat
C:\Documents and Settings\All Users\Application Data\vizivenel.vbs
C:\Documents and Settings\All Users\Application Data\xukevomuwu.vbs
C:\Documents and Settings\All Users\Application Data\yjeqaz.bin
C:\Program Files\Common Files\awozev.lib
C:\Program Files\Common Files\axymy.com
C:\Program Files\Common Files\bavyda.vbs
C:\Program Files\Common Files\deri.pif
C:\Program Files\Common Files\exuwoxah.vbs
C:\Program Files\Common Files\imyhi.ban
C:\Program Files\Common Files\ivoxot.scr
C:\Program Files\Common Files\japuseji.scr
C:\Program Files\Common Files\letyz.sys
C:\Program Files\Common Files\qiquw.ban
C:\Program Files\Common Files\ruzin.exe
C:\Program Files\Common Files\urorebip.db
C:\Program Files\Common Files\zorysazaw.sys
C:\WINDOWS\apuk.dat
C:\WINDOWS\badabew.sys
C:\WINDOWS\bypenahi.exe
C:\WINDOWS\cigid.dl
C:\WINDOWS\hoxymuh.bat
C:\WINDOWS\ihobot.reg
C:\WINDOWS\ihubik.exe
C:\WINDOWS\lefob.bat
C:\WINDOWS\nejufemigy.dll
C:\WINDOWS\niquf.dat
C:\WINDOWS\okevazus.lib
C:\WINDOWS\ovuvac.ban
C:\WINDOWS\oxuci.vbs
C:\WINDOWS\patebygewi.inf
C:\WINDOWS\pohygolaji.vbs
C:\WINDOWS\rofe.pif
C:\WINDOWS\rosyk.sys
C:\WINDOWS\system32\agusedajuq._sy
C:\WINDOWS\system32\axukivi.vbs
C:\WINDOWS\system32\ereferogab.reg
C:\WINDOWS\system32\igabo.dl
C:\WINDOWS\system32\mife.bat
C:\WINDOWS\system32\puryrif.com
C:\WINDOWS\system32\ujipylamuq.exe
C:\WINDOWS\system32\yvewa.pif
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
C:\WINDOWS\tavateby._dl
C:\WINDOWS\ulapu.reg
C:\WINDOWS\vidihawuq.scr
C:\WINDOWS\xajo.pif
C:\WINDOWS\yfevu.lib
C:\WINDOWS\yhaxozy.reg

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-25 14:44 . 2008-07-25 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 14:00 . 2008-07-28 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 09:28 . 2008-07-25 09:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-25 08:46 . 2008-07-25 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 08:19 . 2008-07-25 08:19 <DIR> d-------- C:\Documents and Settings\agent1\Application Data\AdwareAlert
2008-07-24 12:26 . 2008-07-24 12:26 18,295 --a------ C:\WINDOWS\komacisij.dl
2008-07-24 12:26 . 2008-07-24 12:26 16,978 --a------ C:\WINDOWS\gebygury.inf
2008-07-24 12:26 . 2008-07-24 12:26 16,423 --a------ C:\WINDOWS\system32\itojozi.exe
2008-07-24 12:26 . 2008-07-24 12:26 13,702 --a------ C:\WINDOWS\irilogoxi.db
2008-07-24 12:26 . 2008-07-24 12:26 11,661 --a------ C:\WINDOWS\system32\ypupemykeg.exe
2008-07-21 17:39 . 2008-07-21 17:39 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-21 17:33 . 2008-07-21 17:33 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 04:12 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-21 09:39 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-21 09:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-20 23:43 --------- d-----w C:\Program Files\Google
2008-07-17 08:36 --------- d-----w C:\Program Files\Java
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 04:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-08 03:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-08 03:18 --------- d-----w C:\Program Files\Symantec
2008-06-08 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-08 03:16 --------- d-----w C:\Documents and Settings\administrator.AGENTSALESDM\Application Data\CyberLink
2008-06-08 03:01 --------- d-----w C:\Documents and Settings\agent1\Application Data\CyberLink
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-18 16:47 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-17 13:23 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-17 13:23 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-17 13:23 137752]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 19:12 1036288]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 11:56 124200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2005-06-23 19:27 85696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-07-23 14:49]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 14:30]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 17:50]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]

*Newly Created Service* - ERASERUTILDRV10741
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 09:22:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-29 9:23:20
ComboFix-quarantined-files.txt 2008-07-29 01:23:18
ComboFix2.txt 2008-07-28 03:39:30

Pre-Run: 63,718,010,880 bytes free
Post-Run: 63,705,546,752 bytes free

252 --- E O F --- 2008-07-21 23:44:55


Malwarebytes' Anti-Malware 1.23
Database version: 1004
Windows 5.1.2600 Service Pack 3

10:06:28 AM 29/07/2008
mbam-log-7-29-2008 (10-06-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 75217
Time elapsed: 16 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\agent1\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\agent1\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\agent1\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\Program Files\XPSecurityCenter\XPSecurityCenter.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP67\A0005774.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP69\A0005940.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP69\A0005948.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP69\A0005950.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP69\A0005958.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP69\A0005968.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP69\A0005986.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP73\A0006153.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP73\A0006154.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP73\A0006162.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\agent1\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\agent1\Application Data\AdwareAlert\Log\2008 Jul 25 - 08_19_49 AM_651.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\agent1\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:16 AM, on 29/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\lotus\notes\ntmulti.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\Nerdenwerfer\Nerdenwerfer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=0080528
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O17 - HKLM\Software\..\Telephony: DomainName = agentsalesdm.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6713 bytes


Many thanks for your help so far.

 

[Baabiouz]

Hello

Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,

File::
C:\WINDOWS\komacisij.dl
C:\WINDOWS\gebygury.inf
C:\WINDOWS\system32\itojozi.exe
C:\WINDOWS\irilogoxi.db
C:\WINDOWS\system32\ypupemykeg.exe

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


Please post Combofix log and a fresh Hijackthis log back here

 

[Nerdenwerfer]

New Scans

Latest scans after above treatment.

ComboFix 08-07-27.5 - agent1 2008-08-01 14:27:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1581 [GMT 8:00]
Running from: C:\Documents and Settings\agent1\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\agent1\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\gebygury.inf
C:\WINDOWS\irilogoxi.db
C:\WINDOWS\komacisij.dl
C:\WINDOWS\system32\itojozi.exe
C:\WINDOWS\system32\ypupemykeg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\gebygury.inf
C:\WINDOWS\irilogoxi.db
C:\WINDOWS\komacisij.dl
C:\WINDOWS\system32\itojozi.exe
C:\WINDOWS\system32\ypupemykeg.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-07-29 09:30 . 2008-07-29 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-29 09:30 . 2008-07-29 09:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 09:30 . 2008-07-29 09:30 <DIR> d-------- C:\Documents and Settings\agent1\Application Data\Malwarebytes
2008-07-29 09:30 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-29 09:30 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-25 14:44 . 2008-07-25 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 14:00 . 2008-07-28 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 09:28 . 2008-07-25 09:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-25 08:46 . 2008-07-25 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-21 17:39 . 2008-07-21 17:39 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-21 17:33 . 2008-07-21 17:33 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 23:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-21 09:39 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-21 09:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-20 23:43 --------- d-----w C:\Program Files\Google
2008-07-17 08:36 --------- d-----w C:\Program Files\Java
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 04:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-08 03:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-08 03:18 --------- d-----w C:\Program Files\Symantec
2008-06-08 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-08 03:16 --------- d-----w C:\Documents and Settings\administrator.AGENTSALESDM\Application Data\CyberLink
2008-06-08 03:01 --------- d-----w C:\Documents and Settings\agent1\Application Data\CyberLink
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-28_11.39.15.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-21 09:40:27 81,586 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-29 03:42:02 81,586 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-21 09:40:27 452,348 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-29 03:42:02 452,348 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-31 11:19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-17 13:23 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-17 13:23 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-17 13:23 137752]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 19:12 1036288]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 11:56 124200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2005-06-23 19:27 85696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-07-23 14:49]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 14:30]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 17:50]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 14:28:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-01 14:28:30
ComboFix-quarantined-files.txt 2008-08-01 06:28:28
ComboFix2.txt 2008-07-29 01:23:20
ComboFix3.txt 2008-07-28 03:39:30

Pre-Run: 64,006,348,800 bytes free
Post-Run: 64,007,733,248 bytes free

143 --- E O F --- 2008-07-21 23:44:55


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:13 PM, on 1/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\lotus\notes\ntmulti.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\Nerdenwerfer\Nerdenwerfer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=0080528
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O17 - HKLM\Software\..\Telephony: DomainName = agentsalesdm.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agentsalesdm.com.au
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6784 bytes


Thanks again for your help. The machine seems to be running well.

 

[Baabiouz]

Hello

Looks clean, great job!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows XP System Restore Guide
  
  Re-enable system restore with instructions from tutorial above
  
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
    
  • Change the Download unsigned ActiveX controls to Disable
    
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
    
  • Change the Installation of desktop items to Prompt
    
  • Change the Launching programs and files in an IFRAME to Prompt
    
  • Change the Navigate sub-frames across different domains to Prompt
    
  • When all these settings have been made, click on the OK button.
    
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    
    
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    
  • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
    
    Malwarebytes' Anti-Malware Setup Guide
    
    Malwarebytes' Anti-Malware Scanning Guide
    
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  Follow this list and your potential for being infected again will reduce dramatically.
  
  Here are some additional utilities that will enhance your safety
  
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
  
  Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
  
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
  
  Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
  
  Happy surfing and stay clean!

 

[Nerdenwerfer]

Thank YOU Baabiouz,

I will do all of the above. This user greatly appreciates the efforts of you and your team.

Nerdy.

 

[Baabiouz]

You're Welcome