Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Would somebody, anybody please help me?

Started by wthess , Oct 14 2006 05:28 PM

This topic is locked

#1
wthess

Posted 14 October 2006 - 05:28 PM

Member

Member
10 posts

I downloaded a program a few weeks ago that I thought was legit, but rather it installed multiple trojans, lots of spyware, popups like crazy, shut down my firewall (and I can't get it to work anymore), disabled system restore, and disabled virus protection. I've posted my log to multiple sites, but no one ever helps me. I am very adept with computers, but every time I delete all this crap, it comes back after I reboot. I've tried several anti spyware programs with no results. Every time I reboot, it all comes back. I'm posting my hijack log. If you want to know where to go to get the program that caused this crap, I can point you to the link. I'm just tired of people telling me they can help, but it all comes back after a reboot.

Logfile of HijackThis v1.99.1
Scan saved at 6:16:18 PM, on 10/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venta\VentaFax & Voice 5\vfdrv32.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINDOWS\system32\service4.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Common Files\{1C97AB34-07D0-1033-0304-050312180001}\Update.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\atikvmag.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Linksys\LogViewer\LogViewer.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "d:\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKLM\..\Run: [SvcManager] service4.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKCU\..\Run: [userenv] C:\WINDOWS\system32\userenv.exe
O4 - HKCU\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - Startup: Catalyst Control Center.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Startup: Check for JIMCO Software POWERpack Updates.lnk = C:\Program Files\JIMCO Software POWERpack\WiseUpdt.EXE
O4 - Startup: Xfire.lnk = E:\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: LogViewer.lnk = C:\Program Files\Linksys\LogViewer\LogViewer.exe
O4 - Global Startup: NetVanta VPN Client.lnk = C:\Program Files\ADTRAN\NetVanta VPN Client\SafeCfg.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &3 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126536395265
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EF94275-9E5A-4E40-9687-C8FAFC85E1B8}: NameServer = 192.168.10.200
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ADTRAN\NetVanta VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ADTRAN\NetVanta VPN Client\IreIKE.exe
O23 - Service: kbdinbe1.exe - Unknown owner - C:\WINDOWS\system32\kbdinbe1.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ntdsapi.exe - Unknown owner - C:\WINDOWS\system32\ntdsapi.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VentaFax Engine (VfDrv32) - Unknown owner - C:\Program Files\Venta\VentaFax & Voice 5\vfdrv32.exe

#2
Crustyoldbloke

Posted 15 October 2006 - 03:01 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello wthess and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have quite a mixture of malware and Trojans. Let’s see what we can do.

Firstly could you please disable SpywareDetector as it may hinder our attempts at changing anything in your registry.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
AVG AntiSpyware
combofix.exe

Go to Start>Run and type Services.msc then hit OK
Scroll down and find these services:

kbdinbe1.exe
ntdsapi.exe

When you find them, double-click on each ofthem. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter these items into that field one at a time(copy and paste):

kbdinbe1.exe
ntdsapi.exe

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

There is a file in your log of which I am unsure. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\system32\service4.exe

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Please install, and update AVG Anti Spyware

Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Deselect "Only if threats were found"
Close AVGas. Do not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
Please ensure you post that log in your reply.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [userenv] C:\WINDOWS\system32\userenv.exe
O4 - HKCU\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O23 - Service: kbdinbe1.exe - Unknown owner - C:\WINDOWS\system32\kbdinbe1.exe
O23 - Service: ntdsapi.exe - Unknown owner - C:\WINDOWS\system32\ntdsapi.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please remove this entry from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Viewpoint

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\Viewpoint\

Close Windows Explorer and Reboot normally

Please install Killbox by Option^Explicit.

Please double-click Killbox.exe to run it.
Select Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\{1C97AB34-07D0-1033-0304-050312180001}\Update.exe
C:\WINDOWS\system32\atikvmag.exe
C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
c:\windows\system32\_mzu_stonedrv2.exe
C:\WINDOWS\system32\userenv.exe
C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
C:\WINDOWS\system32\kbdinbe1.exe
C:\WINDOWS\system32\ntdsapi.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck AVGas Anti-malware log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. (I make that 3 logs in total, plus a Jotti answer).

#3
wthess

Posted 15 October 2006 - 12:13 PM

Member

Topic Starter
Member
10 posts

Hey,

Thanks, I do realize you aren't superhuman and the first try may not work. Other sites I have gone to either no one answers, or they tell me to do things I've already tried that work until a reboot. Looking at your message, you've already given me more info than anyone else.

I only have one profile on the PC. I don't know if it will help you to send the original file that caused this or not, but I can if you need me to.

I will try the things you suggest and we'll see what happens. I had to kill a few processes and took a few things out of the registry in order to get hijack to run, so I'm sure there's more than just this.

I'll try this today and get back with you. Thanks.

#4
Crustyoldbloke

Posted 15 October 2006 - 01:26 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

OK, just bear in mind that I am 6 hours ahead of you when you post.

#5
wthess

Posted 15 October 2006 - 01:54 PM

Member

Topic Starter
Member
10 posts

No problem. It's been going on for two weeks now, what's another day or two? :whistling:

Anyway, I performed your steps and a lot of it came back again. Here are some things I would like to note before posting the logs...

1) There is a program called drsmartload that keeps coming back and caught by my anti spyware software. I'm thinking this has a lot to do with it.

2) After I performed all these steps and rebooted, most of it came back. I now have a lot more files in my root dir, popups, virus sw catching viruses, anti-spyware sw catching trojans and malware. And this happens as soon as I reboot.

3) The service4 file you mentioned is definitely a piece of malware. Every time I've deleted it, it keeps coming back, sometimes as service2. I could not get the Jotti scan to work, the web page said something about the server being overloaded. I'll keep trying.

4) I skipped one step on purpose. I did not delete the references to "Free Download Manager" as that is a program I've had installed a while and I use it frequently, daily.

5) I'm posting the logs as you requested in this order. - AVG log; combofix log; hijack log (latest)

Here goes:

___________________________________________________
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:08:42 PM 10/15/2006

+ Scan result:

C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001463.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001464.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001551.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001578.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000022.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP34\A0009015.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006981.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP3\A0000061.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP3\A0000065.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001476.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006985.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001546.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001553.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000042.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001456.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001544.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{1C97AB34-07D0-1033-0304-050312180001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{1C97AB34-07D0-1033-0304-050312180001}\services.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007178.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP34\A0009018.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010029.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010030.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006957.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006958.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006959.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0007036.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007179.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP4\A0001094.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP4\A0001095.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP4\A0001096.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001174.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001557.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007180.dll -> Adware.TopInstalls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000003.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000005.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000006.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000009.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000027.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001527.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP15\A0007109.exe -> Backdoor.Small.ml : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007164.exe -> Backdoor.Small.ml : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007169.exe -> Backdoor.Small.ml : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007170.exe -> Backdoor.Small.ml : Cleaned with backup (quarantined).
C:\WINDOWS\system32\atikvmag.exe -> Backdoor.Small.ml : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007149.exe -> Downloader.Adload.de : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006991.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0007007.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007171.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001459.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001554.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drsmartload815a.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006989.exe -> Downloader.Adload.fv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001454.exe -> Downloader.Adload.fv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006988.exe -> Downloader.Adload.fz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006990.exe -> Downloader.Adload.fz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001429.exe -> Downloader.Adload.fz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001571.exe -> Downloader.Adload.fz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001433.exe -> Downloader.Agent.aqx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007174.exe -> Downloader.Delf.aeu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006982.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000020.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000024.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001552.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001566.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001441.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\loadadv559.exe -> Downloader.Harnig.cu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007176.exe -> Downloader.Reqlook.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006996.exe -> Downloader.Small.awa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP9\A0003943.exe -> Downloader.Small.cib : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1004336348-1844237615-839522115-1003\Dc11.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006980.exe -> Downloader.Small.cyq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001446.exe -> Downloader.Small.cyq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006997.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0007012.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000035.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000036.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001541.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001563.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001567.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001887.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007177.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001569.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001468.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000025.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP2\A0000048.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP3\A0000059.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP3\A0000070.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP4\A0000081.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001570.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001466.exe -> Hijacker.Small.ja : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007211.exe -> Logger.Goldun.kt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006994.exe -> Not-A-Virus.Hoax.Win32.Renos.fc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006995.exe -> Not-A-Virus.Hoax.Win32.Renos.fc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0007014.exe -> Not-A-Virus.Hoax.Win32.Renos.fc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP8\A0001901.exe -> Not-A-Virus.Hoax.Win32.Renos.fc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP9\A0003942.exe -> Not-A-Virus.Hoax.Win32.Renos.fc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006961.exe -> Proxy.Lager.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0007002.exe -> Proxy.Lager.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007175.exe -> Proxy.Lager.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010033.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MZU_DRV.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007210.exe -> Trojan.Agent.za : Cleaned with backup (quarantined).
C:\fudi.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001538.exe -> Trojan.Sinowal.ay : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1004336348-1844237615-839522115-1003\Dc10.exe -> Trojan.Sinowal.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP7\A0001453.exe -> Trojan.Sinowal.az : Cleaned with backup (quarantined).
C:\eymdr.exe -> Trojan.Sinowal.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007172.dll -> Trojan.Sinowal.ba : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006976.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006977.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP10\A0006978.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP17\A0007173.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP8\A0002896.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).

::Report end

________________________________________

Todd - 06-10-15 14:32:52.75 Service Pack 2
ComboFix 06.10.14.1 - Running from: "D:\Download"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Todd\Application Data\Dxcdmns.dll
C:\Documents and Settings\Todd\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Todd\Application Data\Dxcuknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Todd\Application Data\Install.dat
C:\Program Files\Common Files\{1C97AB34-07D0-1033-0304-050312180001}
C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}

((((((((((((((((((((((((((((((( Files Created from 2006-09-15 to 2006-10-15 ))))))))))))))))))))))))))))))))))

2006-10-15 14:29 45,056 --a------ C:\Documents and Settings\Todd\SMGO.exe
2006-10-15 14:21 45,056 --a------ C:\Documents and Settings\Todd\MKRO.exe
2006-10-15 13:39 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-15 13:29 26,272 --a------ C:\tvtmonn.exe
2006-10-15 13:28 48,640 --a------ C:\Documents and Settings\Todd\7.exe
2006-10-15 13:28 45,056 --a------ C:\WINDOWS\system32\OBTG.exe
2006-10-15 13:28 45,056 --a------ C:\Documents and Settings\Todd\LGJK.exe
2006-10-14 18:01 45,056 --a------ C:\Documents and Settings\Todd\NFFS.exe
2006-10-14 11:24 45,056 --a------ C:\WINDOWS\system32\IRMC.exe
2006-10-14 11:24 45,056 --a------ C:\Documents and Settings\Todd\UOAL.exe
2006-10-14 11:24 35,590 --a------ C:\WINDOWS\system32\dx3j.exe
2006-10-14 11:24 115,947 --a------ C:\WINDOWS\system32\5.exe
2006-09-29 23:02 21,312 --a------ C:\WINDOWS\choice.exe
2006-09-29 20:46 40,960 --a------ C:\WINDOWS\system32\service4.exe
2006-09-29 20:45 7,680 --a------ C:\Documents and Settings\Todd\loadadv559.exe
2006-09-29 20:44 15,872 --a------ C:\Documents and Settings\Todd\CUTJ.exe
2006-09-28 23:05 970,752 --a------ C:\WINDOWS\system32\VchReg.dll
2006-09-28 23:05 50,904 --a------ C:\WINDOWS\system32\CloseAll.exe
2006-09-28 23:05 229,376 --a------ C:\WINDOWS\system32\CheckDll.dll
2006-09-28 21:35 218,112 --a------ C:\HijackThis.exe
2006-09-28 20:35 0 --a------ C:\WINDOWS\system32\aspi2809.exe
2006-09-28 20:28 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-09-28 20:23 94,720 --a------ C:\WINDOWS\system32\tnmtrfl.dll
2006-09-28 20:16 1,010,000 -r-hs---- C:\WINDOWS\xvfamwmA.exe
2006-09-28 20:15 175,180 --a------ C:\WINDOWS\snaper.exe
2006-09-28 12:53 111,262 --a------ C:\WINDOWS\system32\justin.exe
2006-09-28 11:53 96,265 --a------ C:\WINDOWS\system32\ebo_1.0.3.9.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-15 14:35 -------- d-------- C:\Program Files\SpywareDetector
2006-10-15 14:33 -------- d-------- C:\Program Files\Common Files
2006-10-15 14:29 -------- d-------- C:\Program Files\Internet Explorer
2006-10-15 14:25 -------- d-------- C:\Documents and Settings\Todd\Application Data\Free Download Manager
2006-10-15 14:17 -------- d-------- C:\Program Files\Viewpoint
2006-10-15 13:39 -------- d-------- C:\Program Files\Grisoft
2006-09-29 11:01 -------- d-------- C:\Program Files\Trend Micro
2006-09-29 10:17 -------- d-------- C:\Program Files\Riva
2006-09-29 10:17 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-09-28 21:13 -------- d-------- C:\Program Files\Norton AntiVirus
2006-09-28 21:12 -------- d-------- C:\Program Files\Free Download Manager
2006-09-28 21:11 -------- d-------- C:\Program Files\CleanUp!
2006-09-28 17:49 -------- d-------- C:\Program Files\mediasnapinstall
2006-09-23 02:57 -------- d-------- C:\Program Files\Yahoo!
2006-09-16 15:29 -------- d-------- C:\Program Files\Simply Safe Backup 2005
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 01:37 -------- d-------- C:\Documents and Settings\Todd\Application Data\Xfire
2006-09-07 21:16 -------- d-------- C:\Documents and Settings\Todd\Application Data\Adobe
2006-09-07 21:14 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-07 21:13 -------- d-------- C:\Program Files\Adobe
2006-09-04 14:56 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-22 15:40 -------- d-------- C:\Program Files\MSI
2006-08-22 15:39 -------- d-------- C:\Program Files\Setup Files
2006-08-22 15:15 -------- d-------- C:\Program Files\Realtek AC97
2006-08-22 15:15 -------- d-------- C:\Program Files\AvRack
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 19:15 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-08-20 18:02 -------- d-------- C:\Program Files\GameSpy Arcade
2006-08-20 01:05 -------- d-------- C:\Documents and Settings\Todd\Application Data\ATI MMC
2006-08-16 11:42 -------- dr------- C:\Documents and Settings\Todd\Application Data\Brother
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 04:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-18 21:05 520192 --------- C:\WINDOWS\system32\ati2sgag.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"DynDNS Updater"="\"C:\\Program Files\\DynDNS Updater\\DynDNS.exe\""
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ATI Remote Control"="\"C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe\""
"msratelc"="C:\\WINDOWS\\system32\\msratelc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BCWipeTM Startup"="\"d:\\BCWipe\\BCWipeTM.exe\" startup"
"Samsung Common SM"="\"C:\\WINDOWS\\Samsung\\ComSMMgr\\ssmmgr.exe\" /autorun"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"HydraVisionDesktopManager"="C:\\Program Files\\ATI Technologies\\ATI HYDRAVISION\\HydraDM.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04g\\BrStDvPt.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"RaidTool"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"SystemTraySD"="C:\\Program Files\\SpywareDetector\\SDSystemTray.exe"
"SDAutoLiveupdate"="C:\\Program Files\\SpywareDetector\\LiveUpdateSD.exe -AUTO"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Atomic.exe"="C:\\Program Files\\Atomic Clock Sync\\Atomic.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,22,02,00,00,00,00,00,00,be,02,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\20051201_122900_Daily Backup.job
C:\WINDOWS\tasks\Daily Backup.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Todd.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-15 14:36:15.32
C:\ComboFix.txt ... 06-10-15 14:36

______________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 2:39:50 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Venta\VentaFax & Voice 5\vfdrv32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Linksys\LogViewer\LogViewer.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\SafeCfg.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\_mzu_stonedrv7.exe
C:\Program Files\Norton AntiVirus\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}\MyToolBar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "d:\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKCU\..\Run: [msratelc] C:\WINDOWS\system32\msratelc.exe
O4 - HKCU\..\Run: [mfc42enu] C:\WINDOWS\system32\mfc42enu.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - Startup: Catalyst Control Center.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Startup: Check for JIMCO Software POWERpack Updates.lnk = C:\Program Files\JIMCO Software POWERpack\WiseUpdt.EXE
O4 - Startup: Xfire.lnk = E:\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: LogViewer.lnk = C:\Program Files\Linksys\LogViewer\LogViewer.exe
O4 - Global Startup: NetVanta VPN Client.lnk = C:\Program Files\ADTRAN\NetVanta VPN Client\SafeCfg.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &3 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126536395265
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EF94275-9E5A-4E40-9687-C8FAFC85E1B8}: NameServer = 192.168.10.200
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ADTRAN\NetVanta VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ADTRAN\NetVanta VPN Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: vb40032.exe - Unknown owner - C:\WINDOWS\system32\vb40032.exe
O23 - Service: VentaFax Engine (VfDrv32) - Unknown owner - C:\Program Files\Venta\VentaFax & Voice 5\vfdrv32.exe

#6
Crustyoldbloke

Posted 15 October 2006 - 05:48 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Let's call it a senior moment. Originally, I did earmark FreeDownloadManager for deletion but then I checked it and nowadays, it is not loaded like it used to be, so I thought I had pulled it totally - looks like I left the HJT fix in situ which would have disabled it. My apologies.

Your log is a little better than before but I think you may have Puper lurking - it just "smells that way". Let's see. Run it all as is, if I'm right, you should notice a difference.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

A. Please open AVG Anti Spyware[/color][/url]

Please install, and update AVG Anti-Spyware/Ewido
Load AVGas/Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close AVGas/Ewido. Do not run it yet.

B. Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

C. Open the SmitfraudFix Folder, (right click and choose Extract All) then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

D. Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

E. Close ALL open Windows / Programmes / Folders.

In Safe Mode, load AVGas/Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
AVGas/Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).

Close AVGas/Ewido and Reboot in Normal Mode.
______________________________

F. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

G. Please post:

c:\rapport.txt
AVGas/Ewido log
A new HijackThis log (from normal mode).

You may need more than one reply to post the requested logs, otherwise they might get cut off.

#7
Crustyoldbloke

Posted 15 October 2006 - 05:50 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Todd

:whistling:

Please install, and update AVG Anti-Spyware/Ewido
Load AVGas/Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close AVGas/Ewido. Do not run it yet.

B. Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

In Safe Mode, load AVGas/Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
AVGas/Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).

c:\rapport.txt
AVGas/Ewido log
A new HijackThis log (from normal mode).

You may need more than one reply to post the requested logs, otherwise they might get cut off.

#8
wthess

Posted 16 October 2006 - 08:38 AM

Member

Topic Starter
Member
10 posts

Thanks,

I will perform these steps when I have the time. It will probably be late this evening before I can get to it, and you'll probably be in bed sleeping... Unless you want to wait up. :whistling:

#9
Crustyoldbloke

Posted 16 October 2006 - 08:51 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

I'll probably see the results tomorrow morning

#10
wthess

Posted 16 October 2006 - 09:37 AM

Member

Topic Starter
Member
10 posts

Ok, I went ahead and took the time to do the steps. Once I rebooted back into normal mode, it all started coming back again. More files were added to the root directory, and AVG goes nuts on startup, catching one trojan after another. Once I quarantined those and started IE, AVG went nuts again with more trojans and malware. Oh, btw, that drsmartload.exe file is in the root folder again. Here are the logs and the latest Hijack log. Oh, and just to let you know, I still have a copy of the file that caused all these issues from the beginning. The minute I installed it, my system went crazy with virus alerts and spyware alerts.

I will put the rapport.txt file and the AVGas log in this post and the HiJack in the next one

SmitFraudFix v2.110

Scan done at 9:53:46.48, Mon 10/16/2006
Run from C:\smartfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\uniq Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

____________________________________________________

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:21:12 AM 10/16/2006

+ Scan result:

C:\Program Files\Common Files\{1C97AB34-07D0-1033-0304-050312180001}\services.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010052.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010053.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010049.exe -> Backdoor.Small.ml : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010048.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010051.exe -> Downloader.Harnig.cu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010047.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010050.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MZU_DRV.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010046.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\crhicy.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\nkifcox.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\tykjgtqq.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\uqxp.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010044.exe -> Trojan.Sinowal.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010045.exe -> Trojan.Sinowal.az : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP35\A0010390.dll -> Trojan.Sinowal.be : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83FB9603-2EFC-45A0-AC13-E5B94A32B2DA}\RP36\A0010404.dll -> Trojan.Sinowal.be : Cleaned with backup (quarantined).

::Report end

#11
wthess

Posted 16 October 2006 - 09:40 AM

Member

Topic Starter
Member
10 posts

Here's the latest HiJack log. The rapport.txt file and the AVGas file are in the previous post.

Logfile of HijackThis v1.99.1
Scan saved at 10:29:42 AM, on 10/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Venta\VentaFax & Voice 5\vfdrv32.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\windows\system32\_mzu_stonedrv7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Linksys\LogViewer\LogViewer.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6monl.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}\MyToolBar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "d:\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKCU\..\Run: [msratelc] C:\WINDOWS\system32\msratelc.exe
O4 - HKCU\..\Run: [mfc42enu] C:\WINDOWS\system32\mfc42enu.exe
O4 - HKCU\..\Run: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe"
O4 - HKCU\..\Run: [exts] C:\WINDOWS\system32\exts.exe
O4 - Startup: Catalyst Control Center.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Startup: Check for JIMCO Software POWERpack Updates.lnk = C:\Program Files\JIMCO Software POWERpack\WiseUpdt.EXE
O4 - Startup: Xfire.lnk = E:\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: LogViewer.lnk = C:\Program Files\Linksys\LogViewer\LogViewer.exe
O4 - Global Startup: NetVanta VPN Client.lnk = C:\Program Files\ADTRAN\NetVanta VPN Client\SafeCfg.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &3 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126536395265
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EF94275-9E5A-4E40-9687-C8FAFC85E1B8}: NameServer = 192.168.10.200
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchi.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ADTRAN\NetVanta VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ADTRAN\NetVanta VPN Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: vb40032.exe - Unknown owner - C:\WINDOWS\system32\vb40032.exe
O23 - Service: VentaFax Engine (VfDrv32) - Unknown owner - C:\Program Files\Venta\VentaFax & Voice 5\vfdrv32.exe

#12
Crustyoldbloke

Posted 16 October 2006 - 11:48 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Todd

This sort of behaviour is often caused by an antimalware scanner reversing the changes you make, so that could be something we look at. Let's try it again this way, if it doesn't work, I will use an alternative which will work.

Please disable SpywareDetector (even uninstall if you have to) and also disable AVGas and Windows Defender.

To disable AVGas Guard from running, right click on the orange/multicoloured icon with an S, in the taskbar (near the clock) and uncheck Resident Shield. The icon will change to a grey colour.

To disable Windows Defender. Open Windows Defender. Click Tools, and then click General Settings. Under Protection options, clear the Use Windows Defender to help protect my computer check box. Then click Save

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6monl.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}\MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C97AB34-07D0-1033-0304-050312180001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKCU\..\Run: [msratelc] C:\WINDOWS\system32\msratelc.exe
O4 - HKCU\..\Run: [mfc42enu] C:\WINDOWS\system32\mfc42enu.exe
O4 - HKCU\..\Run: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe"
O4 - HKCU\..\Run: [exts] C:\WINDOWS\system32\exts.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchi.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

Click on Fix Checked when finished and exit HijackThis.

Please install Killbox by Option^Explicit.

Please double-click Killbox.exe to run it.
Select Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Can I suggest that you do 10 at a time?

C:\WINDOWS\system32\ipv6monl.dll
c:\windows\system32\_mzu_stonedrv7.exe
C:\WINDOWS\system32\msratelc.exe
C:\WINDOWS\system32\mfc42enu.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe
C:\WINDOWS\system32\exts.exe
C:\WINDOWS\system32\svchi.dll
C:\Documents and Settings\Todd\SMGO.exe
C:\Documents and Settings\Todd\MKRO.exe
C:\tvtmonn.exe
C:\Documents and Settings\Todd\7.exe
C:\WINDOWS\system32\OBTG.exe
C:\Documents and Settings\Todd\LGJK.exe
C:\Documents and Settings\Todd\NFFS.exe
C:\WINDOWS\system32\IRMC.exe
C:\Documents and Settings\Todd\UOAL.exe
C:\WINDOWS\system32\dx3j.exe
C:\WINDOWS\system32\5.exe
C:\WINDOWS\system32\service4.exe
C:\Documents and Settings\Todd\loadadv559.exe
C:\Documents and Settings\Todd\CUTJ.exe
C:\WINDOWS\system32\tnmtrfl.dll
C:\WINDOWS\xvfamwmA.exe
C:\WINDOWS\snaper.exe
C:\WINDOWS\system32\justin.exe
C:\WINDOWS\system32\ebo_1.0.3.9.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

#13
wthess

Posted 18 October 2006 - 10:22 AM

Member

Topic Starter
Member
10 posts

Hey,

A couple of notes here. Windows Defender has not run since I got these viruses/spyware. It was destroyed by one of them. Windows firewall will no longer work either. Also, I purchased Spyware Defender a week or so after all other spyware detectors failed to work. Here are the ones I've tried... Sypbot, Adaware, several on-line scans, HiJack, and several others whose name I can't remember. I've tried so many. I had manually removed all the spyware and trojans from my system, and they kept coming back, so that's why I bought spyware defender. It cleans everything up, but everytime I reboot, it keeps coming back.

Anyway, here is the Hijack log. I checked the root directory and there are some more new files there. The Hijack log looks a little better, but I have cleaned this stuff up in the past, and after a reboot or two it didn't look like it was going to come back, then all of a sudden, it all came back.

Logfile of HijackThis v1.99.1
Scan saved at 11:12:45 AM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venta\VentaFax & Voice 5\vfdrv32.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Linksys\LogViewer\LogViewer.exe
C:\Program Files\ADTRAN\NetVanta VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\hijackthis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "d:\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - Startup: Catalyst Control Center.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Startup: Check for JIMCO Software POWERpack Updates.lnk = C:\Program Files\JIMCO Software POWERpack\WiseUpdt.EXE
O4 - Startup: Xfire.lnk = E:\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: LogViewer.lnk = C:\Program Files\Linksys\LogViewer\LogViewer.exe
O4 - Global Startup: NetVanta VPN Client.lnk = C:\Program Files\ADTRAN\NetVanta VPN Client\SafeCfg.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &3 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126536395265
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EF94275-9E5A-4E40-9687-C8FAFC85E1B8}: NameServer = 192.168.10.200
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ADTRAN\NetVanta VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ADTRAN\NetVanta VPN Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: vb40032.exe - Unknown owner - C:\WINDOWS\system32\vb40032.exe
O23 - Service: VentaFax Engine (VfDrv32) - Unknown owner - C:\Program Files\Venta\VentaFax & Voice 5\vfdrv32.exe

#14
Crustyoldbloke

Posted 18 October 2006 - 01:17 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Looks good to me. Please post a fresh log 24 hours after the one I just checked over.

#15
wthess

Posted 24 October 2006 - 02:31 PM

Member

Topic Starter
Member
10 posts

Hi,

Sorry it's taken me so long to respond. I've been extraordinarily busy.

There are still some files in the root directory that came back after the last reboot. I will delete them and reboot again to see if they come back.

Additionally, Windows Firewall will not activate. I have a registry fix for it somewhere I'll have to locate. Additionally, I'll have to reinstall Windows Defender as it is completely destroyed and I'll also be reinstalling Spyware Detector, which I paid for before contacting you.

I'll post a hijack log asap.

Thanks for your help and patience so far.