Malwarebytes Forum > Nasty Malware on my System

Full Version: Nasty Malware on my System

Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs

Jerry

Mar 31 2008, 02:09 AM

I have some nasty spyware/viruses/malware on my system that I can't seem to get rid of. Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:45 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Documents and Settings\All Users\Application Data\wnulcbsb\ixevorcv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: qvdntlmw - {398DC223-F4F8-4EE9-9025-0BF67AB47276} -

C:\WINDOWS\qvdntlmw.dll
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma

Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [Q1fHUBETVM] C:\Documents and

Settings\All Users\Application Data\wnulcbsb\ixevorcv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -

C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnljhg - pmnljhg.dll (file missing)
O21 - SSODL: zip - {dd5a09c8-f81e-4423-8698-df02d3857e0a} -

C:\WINDOWS\Installer\{dd5a09c8-f81e-4423-8698-df02d3857e0a}\zip.dll (file

missing)
O21 - SSODL: KbdSrv - {b7c90f04-388d-40f8-a2db-75da8bf0285e} -

C:\WINDOWS\Installer\{b7c90f04-388d-40f8-a2db-75da8bf0285e}\KbdSrv.dll
O21 - SSODL: KernelBoot - {d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61} -

C:\WINDOWS\Installer\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61}\KernelBoot.dll
O21 - SSODL: dwnrpofk - {39F29588-73A7-44D8-9DA4-CFB624021408} - (no file)
O21 - SSODL: vbgtorfd - {E5BD9EBD-93FE-4B92-A904-6A2D82CA1904} -

C:\WINDOWS\vbgtorfd.dll
O21 - SSODL: WinDrv - {3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613} -

C:\WINDOWS\Installer\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613}\WinDrv.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program

Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown

owner - C:\Program Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -

C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. -

C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America

Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection -

file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5289 bytes

Thanks!

JeanInMontana

Mar 31 2008, 08:45 PM

Hi Jerry and welcome to Malwarebytes. The HJT log has a formatting that is just too hard to read with broken lines. Make sure word wrap is off in your notepad when you post your next log please.

Please set your system to show
all files; Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Also please turn off TeaTimer in SBS&D

Open SB S&D
Click on the Tools section and then Resident.
You will see two items.
1. Resident "SD helper" (Internet Explorer bad download blocker.) active
2. Resident "Tea Timer" (Protection of over-all system settings.) active.

Uncheck 2. Leave 1 checked always.

You can enable Tea Timer again if you wish once all special fixes have been done.

Please run a full scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply.

Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.

Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This!

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said.

Be patient and persistent. These things can take time and many procedures.

Jerry

Apr 4 2008, 01:35 AM

Okay, it seemed to do the trick! Thanks!!!!!

Here's the log:

Malwarebytes' Anti-Malware 1.10
Database version: 587

Scan type: Full Scan (C:\|)
Objects scanned: 101335
Time elapsed: 33 minute(s), 12 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 5
Registry Keys Infected: 52
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 56

Memory Processes Infected:
c:\documents and settings\all users\application data\wnulcbsb\ixevorcv.exe (Spyware.Agent) -> Unloaded process successfully.
C:\WINDOWS\SYSTEM32\wlstoxmh.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\SYSTEM32\wlstoxmh.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\Installer\{b7c90f04-388d-40f8-a2db-75da8bf0285e}\KbdSrv.dll (Trojan.Alphabet) -> Unloaded module successfully.
C:\WINDOWS\Installer\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61}\KernelBoot.dll (Trojan.Alphabet) -> Unloaded module successfully.
C:\WINDOWS\Installer\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613}\WinDrv.dll (Trojan.Alphabet) -> Unloaded module successfully.
C:\WINDOWS\qvdntlmw.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\vbgtorfd.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b7c90f04-388d-40f8-a2db-75da8bf0285e} (Trojan.Alphabet) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61} (Trojan.Alphabet) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613} (Trojan.Alphabet) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{fc6e3735-57b3-48b8-9002-54c155215632} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4a9967ab-4c5c-4325-b8c9-4f2be9142c81} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{656c55cf-eb46-491c-aebe-892c716e61e8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{451cda78-04f5-4120-9d9e-f7f7a2113bf9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4f9ac754-5629-414c-85fc-75e528a395ca} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b0b1334b-8efd-4a7a-a2e6-368cab26846c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6885cc6d-190c-444a-a9ff-d107e6816409} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qvdntlmw.bdfn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{398dc223-f4f8-4ee9-9025-0bf67ab47276} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qvdntlmw.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8d4ea80-00d9-43be-a614-c0d5c3893b11} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f757152c-fa01-4916-a3df-620d9ecee65b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d32667aa-2db2-45ab-a801-6bb9cbb1b81a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f38f89cf-b319-4cb5-81d7-4420ec5b3d1f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b576fc38-a12b-4dfb-8b92-e4ba8b1d7014} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\egmulhxk.msdn_hlp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\jokwmp.blkd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\jokwmp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Spruce (Adware.Spruce) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\egmulhxk.msdn_hlp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Spruce (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spruce (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{47081497-8ca5-4311-9c7c-fcf3737e11ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5d3b58e9-0daf-444a-912c-17b72d54ae6d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{51c814f7-e1b7-4cd5-8538-039e7e658e7a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8db069e2-4e3e-4624-a58e-ca74c03c49a7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e5bd9ebd-93fe-4b92-a904-6a2d82ca1904} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qvdntlmw.bdfn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qvdntlmw.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Q1fHUBETVM (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\KbdSrv (Trojan.Alphabet) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\KernelBoot (Trojan.Alphabet) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinDrv (Trojan.Alphabet) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{398dc223-f4f8-4ee9-9025-0bf67ab47276} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vbgtorfd (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dwnrpofk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{dd5a09c8-f81e-4423-8698-df02d3857e0a} (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{b7c90f04-388d-40f8-a2db-75da8bf0285e} (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Installer\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61} (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Installer\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613} (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\wnulcbsb\ixevorcv.exe (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{b7c90f04-388d-40f8-a2db-75da8bf0285e}\KbdSrv.dll (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Installer\{d66eb7f0-3c60-4cf0-87bb-3137a6bdaf61}\KernelBoot.dll (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Installer\{3e0a4e5b-e20a-4d5c-bf8b-fe666b7a4613}\WinDrv.dll (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\qvdntlmw.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\H4M1JYYS\ieupdater[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\H4M1JYYS\install[1] (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Online Services\webyc89104.dll.vir (Adware.TTC) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002934.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002936.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002949.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002950.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0003015.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005070.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005071.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005259.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005260.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005261.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005262.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005263.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005268.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005269.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005548.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005626.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005700.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005745.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005872.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005873.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hinijazq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hylwxcje.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\users32.dat (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vyzcrcdo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wjolozkf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wlstoxmh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rls3\vlt33p02.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sn7\xopz89104.exe (Adware.TTC) -> Quarantined and deleted successfully.
C:\WINDOWS\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\univrs32.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\dwnrpofk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\kdftlboeakn.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\norlatmx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vbgtorfd.dll (Trojan.FakeAlert) -> Delete on reboot.

JeanInMontana

Apr 4 2008, 07:08 AM

Please follow all of the instructions you were given. Your system is badly infected from the MBAM log, we need to look at a Panda scan and another HJT log.

Jerry

Apr 7 2008, 01:40 AM

Okay, here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:13 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnljhg - pmnljhg.dll (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4247 bytes

MBAM log:

Malwarebytes' Anti-Malware 1.10
Database version: 594

Scan type: Full Scan (C:\|)
Objects scanned: 104144
Time elapsed: 37 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0006235.dll (Trojan.Zlob) -> Quarantined and deleted successfully.

Panda scan:

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-04-06 21:38:37
PROTECTIONS: 0
MALWARE: 47
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\jerry\favorites\health
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc56.txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc37.txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc32.txt
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005271.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Jerry\Desktop\SmitfraudFix\Process.exe
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc39.txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc57.txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc41.txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Application Data\Mozilla\Firefox\Profiles\blotsrmd.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc61.txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@yadro[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc18.txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc29.txt
00168069 Cookie/Bilbo.counted TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@bilbo.counted[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc54.txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc35.txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc25.txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc50.txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc34.txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.go.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc53.txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc33.txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Jerrysch06\g71wh4yb.slt\cookies.txt[ehg-dig.hitbox.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc22.txt
00502546 Application/MyWay HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005057.dll
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Jerry\Desktop\SmitfraudFix\restart.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002964.EXE
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005270.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Jerry\Desktop\SmitfraudFix\Reboot.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002959.sys
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc24.txt
02887531 Cookie/UltimateCleaner TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-1489722723-519094362-1628391410-1006\Dc59.txt
02887531 Cookie/UltimateCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@ucleaner[2].txt
02887532 Cookie/XPAntivirusPro TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@www.safenavweb[1].txt
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005593.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005827.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005828.SYS
02907634 Adware/PurityScan Adware No 0 Yes No C:\QooBox\Quarantine\C\Documents and Settings\Jerry\Application Data\ASKS~1\сhkntfs.exe.vir
02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0006240.dll
02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\Documents and Settings\Jerry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.70315
02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\Documents and Settings\Jerry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.28695
02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\Documents and Settings\Jerry\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.99668
02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0006239.dll
02907934 Trj/Downloader.TAV Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0006241.dll
02908018 Cookie/WinReanimator TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@winreanimator[2].txt
02908062 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002942.dll
02908062 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\quivivfe.dll.vir
02908063 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hyxfnpkc.dll.vir
02908063 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002939.dll
02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002938.dll
02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002944.dll
02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hktvmhgm.dll.vir
02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sqleskec.dll.vir
02908213 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002940.dll
02908213 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002937.dll
02908213 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dbvxlgna.dll.vir
02908213 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lfrmqwnk.dll.vir
02908215 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP45\A0002941.dll
02908215 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qdikpbgm.dll.vir
02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005266.dll
02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005265.dll
02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005249.dll
02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005267.dll
02908461 Trj/Downloader.TCC Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0005264.dll
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005618.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005635.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005636.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005658.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005659.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005724.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005725.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005733.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005734.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005608.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005592.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005619.exe
02909680 Adware/WinReanimator Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0005607.exe
02909975 Cookie/CookingLuck TrackingCookie No 0 Yes No C:\Documents and Settings\Jerry\Cookies\jerry@cookingluck[2].txt
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

JeanInMontana

Apr 7 2008, 03:52 PM

Hi Jerry. Few things here that are not good.

1. Never run tools like SmitFraud with out being asked and unless you know how they work and what to do with the results. Please post the log from that tool also . You will find it C:/ rapport.txt.

2. The purpose of the HJT log is to see if items were removed after the scans. We want it posted last always. When did you run HJT?

3. Panda and HJT show a root kit. This means your system has been totally compromised and any sensitive data is at risk or already in the hands of criminals. Bank, credit card info and any other. The only sure way to rid a system of a root kit is to reformat. Usually they can be removed but, there is always that chance it remains. Having said that you must decide your course of action. Reformat, or try to rid the system of the root kit.

Jerry

Apr 8 2008, 04:44 AM

rapport.txt:

SmitFraudFix v2.256

Scan done at 22:17:35.06, Fri 03/28/2008
Run from C:\Documents and Settings\Jerry\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{48D25D8F-BEBF-4A33-AA12-836E750671A0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{48D25D8F-BEBF-4A33-AA12-836E750671A0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{48D25D8F-BEBF-4A33-AA12-836E750671A0}: DhcpNameServer=192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:38 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnljhg - pmnljhg.dll (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4427 bytes

I don't want to reformat. I want to try and remove the root kit. Thank you so much for your help!!!

JeanInMontana

Apr 8 2008, 04:51 PM

OK Jerry I will give it my best shot to do that for you. If you have sensitive data be sure you notify the proper entities. Delete the SmitFraud tool and all files associated please.

You have a rogue malware program on your system. Please download RogueRemover update it and run a scan for both options, and immunize.

Run HJT again in scan only and put a check next to these items and click fix:

O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

O20 - AppInit_DLLs: cru629.dat

O20 - Winlogon Notify: pmnljhg - pmnljhg.dll (file missing)

Now please get this tool:
1. Download this file :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.
Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall.

Jerry

Apr 9 2008, 02:20 AM

Okay, SmitfraudFix is deleted. RogueRemover only had one scan option and it found nothing. Here's the ComboFix log:

ComboFix 08-04-08.7 - Jerry 2008-04-08 21:59:26.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -4:00]
Running from: C:\Documents and Settings\Jerry\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jerry\Desktopblackbird.jpg
C:\Documents and Settings\Jerry\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Jerry\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Jerry\Desktopfilemanagerclient.exe
C:\Documents and Settings\Jerry\Desktopfkwp1.5.exe
C:\Documents and Settings\Jerry\Desktopfkwp2.0.exe
C:\Documents and Settings\Jerry\Desktopfwebd.exe
C:\Documents and Settings\Jerry\DesktopFWebdEditor.exe
C:\Documents and Settings\Jerry\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 21:47 . 2008-04-08 21:47 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-08 21:25 . 2008-04-08 21:25 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-05 22:51 . 2008-04-05 22:52 <DIR> d-------- C:\Program Files\Panda Security
2008-04-03 16:44 . 2008-04-05 22:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-03 16:44 . 2008-04-03 16:44 <DIR> d-------- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
2008-04-03 16:44 . 2008-04-03 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 22:49 . 2008-03-28 22:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-03-28 22:49 . 2008-03-28 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-22 22:48 . 2008-04-03 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wnulcbsb
2008-03-20 00:37 . 2008-03-20 00:37 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-03-19 22:06 . 2008-03-20 00:34 1,544,253 ---hs---- C:\WINDOWS\SYSTEM32\oqnkdamp.ini
2008-03-19 21:58 . 2008-04-03 17:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\sn7
2008-03-19 21:58 . 2008-03-20 00:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\rom5
2008-03-19 21:58 . 2008-04-03 17:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\rls3
2008-03-19 21:58 . 2008-03-27 01:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\drv2
2008-03-19 21:39 . 2006-10-04 10:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\sysmain.sdb
2008-03-19 21:38 . 2008-03-19 21:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-19 21:35 . 2008-03-19 21:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-03-19 21:35 . 2008-03-19 21:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-03-17 23:50 . 2008-03-29 16:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-17 23:50 . 2008-03-17 23:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 20:30 . 2008-03-10 20:30 <DIR> d-------- C:\Program Files\CWGET
2008-03-10 20:30 . 2008-03-14 16:37 193 --a------ C:\WINDOWS\PCWGXDRV.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 01:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-30 00:55 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-29 05:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-29 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 02:32 --------- d-----w C:\Program Files\Trend Micro
2008-03-25 04:10 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-20 05:06 --------- d-----w C:\Program Files\Java
2008-03-14 04:34 --------- d-----w C:\Documents and Settings\Jerry\Application Data\LimeWire
2008-03-14 04:32 --------- d-----w C:\Program Files\Soulseek
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2008-01-05 04:15 10 ----a-w C:\Program Files\.autoreg
2007-10-16 02:56 1,664 ----a-w C:\Documents and Settings\Jerry\Application Data\ViewerApp.dat
2007-05-15 04:24 25,990,392 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
.

((((((((((((((((((((((((((((( snapshot_2008-03-23_23.20.44.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2000-08-31 12:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
- 2005-05-27 23:49:35 16,384 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-03-27 02:41:16 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2005-05-27 23:49:35 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-27 02:41:16 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-05-27 23:49:35 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-27 02:41:16 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-04 10:00:00 4,224 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2000-08-31 12:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 2000 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CompuServe 2000 Tray Icon.lnk
backup=C:\WINDOWS\pss\CompuServe 2000 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\883b4cfe]
C:\WINDOWS\system32\qdikpbgm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8b087f62]
C:\WINDOWS\system32\hyxfnpkc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Crmfqr]
C:\Documents and Settings\Jerry\Application Data\?asks\?hkntfs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 02:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
--------- 2004-09-03 04:58 65536 C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernel]
C:\Program Files\kernel\kernel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 13:03 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-17 13:03 135168 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ouwovetu]
C:\WINDOWS\system32\cdkrkxcj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ozcorujz]
C:\WINDOWS\system32\tgrabupy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2005-10-28 14:08 335872 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-19 03:37 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-03-30 22:26 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
C:\DOCUME~1\Jerry\APPLIC~1\SSTEM~1\dllhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\Jerry\Application Data\Microsoft\Windows\rayiou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 15:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2007-03-14 12:16 100048 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Jerry\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yby]
C:\Documents and Settings\Jerry\Application Data\?icrosoft\?ttrib.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-03-28 18:10 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPBBCSvc"=2 (0x2)
"SymWSC"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"ISSVC"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"SNDSrvc"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=

R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 16:46]
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys [2001-04-27 04:36]
S3 SNDP610;Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\sndp610.sys [2005-10-11 15:19]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 06:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 22:04:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-08 22:06:06
ComboFix-quarantined-files.txt 2008-04-09 02:05:46
ComboFix2.txt 2008-03-24 03:21:06
ComboFix3.txt 2008-03-22 03:33:35
ComboFix4.txt 2008-01-08 05:08:42
Pre-Run: 31,075,479,552 bytes free
Post-Run: 31,063,887,872 bytes free
.
2008-03-23 04:27:31 --- E O F ---

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:55 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4546 bytes

Y'know it kills me how people like to use their supeiror intellect to do such horrible things to people! I'm just glad there's good people like you out there too! Thanks again!

JeanInMontana

Apr 9 2008, 03:39 PM

Hi Jerry. Yes, I agree if those working to fill the world with malware put that brain to work on something like AIDS or Cancer it would be nice. It's all about greed though.

OK, still work to do.
Please upload this file C:\WINDOWS\privacy_danger\index.htm to here . This will ensure it gets added to the data base for future removals.

Now run HJT again in scan only and put a check next to
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm then click fix.

Reboot and let's try SmitFraud again.

Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix.

Download:

Use this URL to download the latest version (the file contains both English and French versions):
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

* Double-click SmitfraudFix.exe
* Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Clean:

* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
* Double-click SmitfraudFix.exe
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

* Optional:
o To restore Trusted and Restricted site zone, select 3 and hit Enter.
o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note:

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Post the log from SmitFraud and a new HJT please. Tell me how things are running also.

Jerry

Apr 10 2008, 02:15 AM

I did not find the "privacy danger" folder in the WINDOWS directory, but HJT found it and I cleaned it then rebooted. I downloaded & ran SmitfraudFix. I'm now rebooting into safe mode...

Jerry

Apr 10 2008, 02:45 AM

Okay, done. Here's HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:32 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4039 bytes

...and rapport.txt Part 1:

SmitFraudFix v2.311

Scan done at 22:19:19.79, Wed 04/09/2008
Run from C:\Documents and Settings\Jerry\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

Jerry

Apr 10 2008, 03:01 AM

And finally.... rapport.txt Part 4:

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{48D25D8F-BEBF-4A33-AA12-836E750671A0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{48D25D8F-BEBF-4A33-AA12-836E750671A0}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{48D25D8F-BEBF-4A33-AA12-836E750671A0}: DhcpNameServer=192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Whew! Long darn thing!!!

Things seem to be running well!

JeanInMontana

Apr 10 2008, 04:04 PM

Nothing in the HJT log. Did you scan with it before or after the SF? HJT log is always last.

Let's run one more tool just to be sure. I don't like leaving anything.

Please download this file:

SDFix.exe and save it to your desktop.

Double click SDFix.exe and choose Install to extract it to its
own folder on the Desktop. Please then reboot your computer in Safe
Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should
appear;
* Select the first option, to run Windows in Safe Mode, then press
Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to
start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt
you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal
process then display Finished, press any key to end the script and
load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and
also save into the SDFix folder as Report.txt.
* Finally copy and paste the contents of the results file
Report.txt with a new HijackThis log
Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.

Jerry

Apr 12 2008, 02:12 AM

Okay here's Report.txt:

SDFix: Version 1.169
Run by Jerry on Fri 04/11/2008 at 09:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\PROGRA~1\MESSEN~1\LAWUG - Deleted
C:\PROGRA~1\MESSEN~1\LAWUG386 - Deleted
C:\Program Files\.autoreg - Deleted
C:\WINDOWS\server.dll - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 22:02:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Mon 22 May 2006 26,624 ...H. --- "C:\Games\My Documents\~WRL0004.tmp"
Thu 9 Aug 2001 102,467 A..H. --- "C:\Program Files\CompuServe 2000\csphx.exe"
Thu 9 Aug 2001 36,935 A..H. --- "C:\Program Files\CompuServe 2000\cstray.exe"
Thu 9 Aug 2001 64,512 A..H. --- "C:\Program Files\CompuServe 2000\packethsvc.exe"
Thu 9 Aug 2001 40,960 A..H. --- "C:\Program Files\CompuServe 2000\RBM.exe"
Thu 9 Aug 2001 172,095 A..H. --- "C:\Program Files\CompuServe 2000\wcs2000.exe"
Thu 7 Nov 2002 49,232 A..H. --- "C:\Program Files\CompuServe 7.0\csphx.exe"
Mon 4 Mar 2002 32,840 A..H. --- "C:\Program Files\CompuServe 7.0\cstray.exe"
Mon 4 Mar 2002 40,960 A..H. --- "C:\Program Files\CompuServe 7.0\RBM.exe"
Mon 4 Mar 2002 180,288 A..H. --- "C:\Program Files\CompuServe 7.0\wcs2000.exe"
Wed 15 Jun 2005 141,312 ..SHR --- "C:\Program Files\PhoTags Express\Setup.exe"
Wed 9 Mar 2005 39,936 A.SHR --- "C:\Program Files\PhoTags Express\_Setupx.dll"
Fri 11 Nov 2005 4,126,240 ...H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 9 Aug 2001 64,512 A..H. --- "C:\WINDOWS\SYSTEM32\PackethSvc.exe"
Tue 27 Nov 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 9 Aug 2001 172,032 A..H. --- "C:\Program Files\CompuServe 2000\COMIT\cswitch.exe"
Mon 4 Mar 2002 77,894 A..H. --- "C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe"
Wed 19 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 10 Jul 2005 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\OffD.tmp"
Wed 12 Dec 2001 102,400 A..H. --- "C:\Program Files\Common Files\csshare\shell\us\shellext.dll"

Finished!

...and HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:58 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4040 bytes

JeanInMontana

Apr 12 2008, 06:29 PM

Well, it looks like running SDFix was a good call. How are you running now? You look squeaky clean.

Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free

Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature.

Jerry

Apr 13 2008, 02:29 AM

Thanks!!! You have no idea how much I appreciate this! I'm gonna install those scanners and that firewall right now!!!

JeanInMontana

Apr 13 2008, 09:48 AM

Good plan, and be sure to keep them updated along with your Windows, Java, Flash and Adobe programs . Since this issue is resolved I will close the topic to prevent others from posting into it.

The fixes and procedures in this topic are for this machine only. Do not apply them to your machine even if you thing you are having the same problem. Read the instructions at the top of this page and start your own topic. Someone will be happy to help you.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.