[Curtis Mayfield]

Hello, I have Embarq online security (F-secure) and it keeps detecting the "Trojan Win32 Pakes cdw" virus but it won't remove it. I've tried removing the file manually but I am not able to. The virus is being found in the file - c:\windows\system32\ dmdlsgs.dll
I've tried everything; verbal threats, waving a sharp knife at it, giving it the finger, even bribery, but nothing works. Any help would be great!!
Here's my HJ log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:10 PM, on 2/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1E509D8-E961-47FE-B046-A19E672FE939} - C:\WINDOWS\System32\dmdlgsg.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 4860 bytes

[Advertisements]

Hello Curtis Mayfield

Welcome to G2Go.
=====================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[kahdah]

Hello Curtis Mayfield

Welcome to G2Go.
=====================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[Curtis Mayfield]

1st the Combofix log




ComboFix 08-02-20.2 - brent 2008-02-20 1:05:12.9 - NTFSx86

Running from: C:\Documents and Settings\brent\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - explorer.exe: deleted 480 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Microsoft Security Adviser
C:\svchost.exe
C:\svchost2.exe

----- BITS: Possible infected sites -----

hxxp://supertds.com
hxxp://wc
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-17 22:46 . 2008-02-17 22:47 <DIR> d-------- C:\Program Files\PokerStars
2008-02-10 05:53 . 2008-02-10 05:53 16,015 --a------ C:\WINDOWS\qda.0xe
2008-02-07 10:18 . 2008-02-07 10:18 <DIR> d-------- C:\Documents and Settings\B\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 01:27 --------- d-----w C:\Program Files\EMBARQ Online Security
2008-02-18 03:40 --------- d-----w C:\Program Files\PokerStars.NET
2008-02-18 01:39 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-12 21:28 --------- d-----w C:\Program Files\Real
2008-02-02 23:02 --------- d-----w C:\Documents and Settings\B\Application Data\gtk-2.0
2008-01-11 11:43 --------- d-----w C:\Program Files\Unlocker
2007-12-31 22:09 --------- d-----w C:\Program Files\mIRC
2007-12-31 12:14 51,040 ----a-w C:\WINDOWS\system32\drivers\fsdfw.sys
2007-12-31 12:14 30,016 ----a-w C:\WINDOWS\system32\drivers\fsndis5.sys
2007-12-31 11:52 --------- d-----w C:\Documents and Settings\brent\Application Data\F-Secure
2007-12-31 11:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2007-12-31 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2007-12-31 01:57 --------- d-----w C:\Program Files\XoftSpySE
2007-12-30 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 02:45 --------- d-----w C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Application

Data\Grisoft
2007-12-20 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy
2007-12-20 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-20 00:25 --------- d-----w C:\Program Files\Lavasoft
2007-12-19 12:14 16,896 ----a-w C:\WINDOWS\system32\du4pw24a8.exe
2007-02-11 10:24 26,344,024 ----a-w C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-03-17 12:38 9,258 ----a-w C:\WINDOWS\Fonts\cenobyte.zip
2005-03-10 11:33 56,520 ----a-w C:\WINDOWS\Fonts\Horrorfind_Fonts.zip
2005-01-10 08:48 1,025,312 ----a-w C:\Program Files\AOEPATCH.exe
2004-10-13 17:17 40,662 ----a-w C:\Program Files\readermain.htm
2007-03-25 00:00 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat
2006-05-22 18:16 11,592 --sh--w C:\WINDOWS\system32\ospcont.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1E509D8-E961-47FE-B046-A19E672FE939}]
2002-09-03 11:31 83968 --a------ C:\WINDOWS\System32\dmdlgsg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 15:41 438359]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-06-17 04:27 684032]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-09-03 11:44 145408]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2007-04-26 06:43 176177]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-04-26 06:41 733184]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-17 02:31 282624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 18:10:05 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update_0711_KB060653.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Update_0711_KB060653.exe
backup=C:\WINDOWS\pss\Update_0711_KB060653.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-06-15 10:36 61440 C:\Program Files\instant messenger\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aztgarlwpj]
c:\documents and settings\sheila\local settings\application data\aztgarlwpj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
--a------ 2003-12-08 14:51 733184 C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-17 02:31 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)
"wuauservuploadmgr"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 13:59:31 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\EMBARQ~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK

/REPORT=C:\PROGRA~1\EMBARQ~1\ANTI-V~1\report.txt
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-02-19 22:00:06 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-01 08:07:20 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 01:12:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-20 1:21:22
ComboFix-quarantined-files.txt 2008-02-20 06:21:13
ComboFix2.txt 2007-11-09 18:37:53




2nd, the HJThis log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:07 AM, on 2/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSLAUNCH.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1E509D8-E961-47FE-B046-A19E672FE939} - C:\WINDOWS\System32\dmdlgsg.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 4341 bytes

[kahdah]

1. Please open Notepad

• Click Start , then Run
• type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\System32\dmdlgsg.dll
C:\WINDOWS\qda.0xe
C:\WINDOWS\system32\du4pw24a8.exe
c:\documents and settings\sheila\local settings\application data\aztgarlwpj.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1E509D8-E961-47FE-B046-A19E672FE939}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aztgarlwpj]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Edited by kahdah, 20 February 2008 - 07:13 AM.

[Curtis Mayfield]

ComboFix 08-02-20.2 - brent 2008-02-20 14:48:12.10 - NTFSx86

Running from: C:\Documents and Settings\brent\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\brent\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\sheila\local settings\application data\aztgarlwpj.exe
C:\WINDOWS\qda.0xe
C:\WINDOWS\System32\dmdlgsg.dll
C:\WINDOWS\system32\du4pw24a8.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\qda.0xe
C:\WINDOWS\System32\dmdlgsg.dll . . . . failed to delete
C:\WINDOWS\system32\du4pw24a8.exe
C:\WINDOWS\System32\dmdlgsg.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-17 22:46 . 2008-02-17 22:47 <DIR> d-------- C:\Program Files\PokerStars
2008-02-07 10:18 . 2008-02-07 10:18 <DIR> d-------- C:\Documents and Settings\B\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 01:27 --------- d-----w C:\Program Files\EMBARQ Online Security
2008-02-18 03:40 --------- d-----w C:\Program Files\PokerStars.NET
2008-02-18 01:39 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-12 21:28 --------- d-----w C:\Program Files\Real
2008-02-02 23:02 --------- d-----w C:\Documents and Settings\B\Application Data\gtk-2.0
2008-01-11 11:43 --------- d-----w C:\Program Files\Unlocker
2007-12-31 22:09 --------- d-----w C:\Program Files\mIRC
2007-12-31 12:14 51,040 ----a-w C:\WINDOWS\system32\drivers\fsdfw.sys
2007-12-31 12:14 30,016 ----a-w C:\WINDOWS\system32\drivers\fsndis5.sys
2007-12-31 11:52 --------- d-----w C:\Documents and Settings\brent\Application Data\F-Secure
2007-12-31 11:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2007-12-31 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2007-12-31 01:57 --------- d-----w C:\Program Files\XoftSpySE
2007-12-30 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 02:45 --------- d-----w C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Application Data\Grisoft
2007-12-20 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-20 00:25 --------- d-----w C:\Program Files\Lavasoft
2007-02-11 10:24 26,344,024 ----a-w C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-03-17 12:38 9,258 ----a-w C:\WINDOWS\Fonts\cenobyte.zip
2005-03-10 11:33 56,520 ----a-w C:\WINDOWS\Fonts\Horrorfind_Fonts.zip
2005-01-10 08:48 1,025,312 ----a-w C:\Program Files\AOEPATCH.exe
2004-10-13 17:17 40,662 ----a-w C:\Program Files\readermain.htm
2007-03-25 00:00 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat
2006-05-22 18:16 11,592 --sh--w C:\WINDOWS\system32\ospcont.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1E509D8-E961-47FE-B046-A19E672FE939}]
2002-09-03 11:31 83968 --a------ C:\WINDOWS\System32\dmdlgsg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 15:41 438359]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-06-17 04:27 684032]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-09-03 11:44 145408]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2007-04-26 06:43 176177]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-04-26 06:41 733184]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-17 02:31 282624]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2002-09-03 11:29 375808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 18:10:05 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update_0711_KB060653.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Update_0711_KB060653.exe
backup=C:\WINDOWS\pss\Update_0711_KB060653.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-06-15 10:36 61440 C:\Program Files\instant messenger\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aztgarlwpj]
c:\documents and settings\sheila\local settings\application data\aztgarlwpj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
--a------ 2003-12-08 14:51 733184 C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-17 02:31 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)
"wuauservuploadmgr"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 13:59:31 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\EMBARQ~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\EMBARQ~1\ANTI-V~1\report.txt
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-02-20 20:10:45 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-01 08:07:20 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 15:12:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-02-20 15:37:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 20:37:31
ComboFix2.txt 2008-02-20 06:21:24
ComboFix3.txt 2007-11-09 18:37:53





Here's the HJThis-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:10 PM, on 2/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1E509D8-E961-47FE-B046-A19E672FE939} - C:\WINDOWS\System32\dmdlgsg.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 4860 bytes

[kahdah]

I will need to you show hidden files\folders so we can upload this file.

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK

==============================================================
Please go to UploadMalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread
• Browse for this filename: C:\WINDOWS\System32\dmdlgsg.dll
• In the comments, please mention that I asked you to upload this file
• Click on Send File

PLease let me know when you have done this so we can continue.
======================

Also please do the following:
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.





Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

[Curtis Mayfield]

I sent the file in for analysis. Now I will attempt the next step, dragging the requested file into the combofix.

[Curtis Mayfield]

Here's the log file -




winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partit

ion(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\W

INDOWS="Microsoft Windows XP Home

Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft

Windows Recovery Console" /cmdcons

[kahdah]

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\System32\dmdlgsg.dll
c:\documents and settings\sheila\local settings\application data\aztgarlwpj.exe

Folders to delete:
C:\WINDOWS\Fonts\cenobyte.zip
C:\WINDOWS\Fonts\Horrorfind_Fonts.zip

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1E509D8-E961-47FE-B046-A19E672FE939}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

[Curtis Mayfield]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cscqvfht

*******************

Script file located at: \??\C:\WINDOWS\jxjyuqe^.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\System32\dmdlgsg.dll for deletion
Deletion of file C:\WINDOWS\System32\dmdlgsg.dll failed!

Could not process line:
C:\WINDOWS\System32\dmdlgsg.dll
Status: 0xc0000022

File c:\documents and settings\sheila\local settings\application data\aztgarlwpj.exe deleted successfully.


Error: C:\WINDOWS\Fonts\cenobyte.zip is not a folder! It may instead be a file.
Deletion of folder C:\WINDOWS\Fonts\cenobyte.zip failed!

Could not process line:
C:\WINDOWS\Fonts\cenobyte.zip
Status: 0xc0000103



Error: C:\WINDOWS\Fonts\Horrorfind_Fonts.zip is not a folder! It may instead be a file.
Deletion of folder C:\WINDOWS\Fonts\Horrorfind_Fonts.zip failed!

Could not process line:
C:\WINDOWS\Fonts\Horrorfind_Fonts.zip
Status: 0xc0000103



Could not open registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1E509D8-E961-47FE-B046-A19E672FE939} for deletion
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1E509D8-E961-47FE-B046-A19E672FE939} failed!
Status: 0xc0000022


Completed script processing.

*******************

Finished! Terminate.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:04 PM, on 2/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\ih8.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\ih8run.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\EMBARQ Online Security\FSAUA\content\70Hotfix_PSC7MF3\5\bin\ih8run.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\EMBARQ Online Security\FSAUA\content\70Hotfix_PSC7MF3\5\fshfcntl.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1E509D8-E961-47FE-B046-A19E672FE939} - C:\WINDOWS\System32\dmdlgsg.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 5199 bytes



I believe this virus is a seriuos pain in the butt. Just so you know, my computer is not in the best of shape anyway. I can't defrag or run disc cleaner, haven't been able too for years, but we'll save that problem for later.

[kahdah]

I believe this virus is a seriuos pain in the butt. Just so you know, my computer is not in the best of shape anyway. I can't defrag or run disc cleaner, haven't been able too for years, but we'll save that problem for later.

That's alright it wont be around for much longer.
And we will take care of the other issue when you are clean.
=======================================
download IceSword to your Desktop :
http://www.majorgeek...word_d5199.html

1) Double-click on the downloaded file, then extract (move) the IceSword122_en folder to your Desktop.

2) Double-click on the folder, then on IceSword.exe to launch the tool.

3) Make the tool appear in full screen by clicking the little square (top right corner).

4) Click on the "File" button (lower left) ;

>> In order to have a better view of the left side section, you will need to widen it by clicking on the line dividing both sections and then dragging it towards the right a bit.

- From the left side section, navigate to this file :

C:\WINDOWS\System32\dmdlgsg.dll

- Right-click on it and choose Delete


5) Next, click on the Registry button (immediately below "Functions") ;

- From the left side section, navigate to this key :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1E509D8-E961-47FE-B046-A19E672FE939}

- Still from the left side section, right-click on the little folder named {F1E509D8-E961-47FE-B046-A19E672FE939} and choose Delete

6) Close IceSword by clicking the X in the top right corner. Click Yes at the prompt.

=================================================================
Go ahead and reboot and post a new Hijackthis log please.

[Curtis Mayfield]

That Ice Sword doesn't play around. I wonder if it'll get rid of fleas, or door- to- door salesmen . Looks like it got it, according to the HJT log -


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:04 AM, on 2/22/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\ih8.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\ih8run.exe
C:\Program Files\EMBARQ Online Security\FSAUA\content\70Hotfix_PSC7MF3\5\bin\ih8run.exe
C:\Program Files\EMBARQ Online Security\FSAUA\content\70Hotfix_PSC7MF3\5\fshfcntl.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 4990 bytes

[kahdah]

Great let's go ahead and delete icesword please.

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[Curtis Mayfield]

Here's the Kasp scan. It's extremely long. My computer is used by several family members, and they hardly ever delete their temp files, even though I tell'em too all the time. I went through the scan results, and copied only the malware that was found, to a separate document. I'm going to post that first, for your convenience, then I'll repost the entire scan results as you asked.


MY SHORT VERSION -



C:\WINDOWS\system32\colbact(3.1 Infected: Trojan.Win32.BHO.abm


C:\WINDOWS\pss\Update_0711_KB060653.exeCommon Startup Infected: Trojan-Downloader.Win32.Murlo.jb


C:\System Volume Information\_restore{2A95F795-34D6-4232-8797-2A2FE9EA7109}\RP2\A0001325.dll Infected: Trojan.Win32.Pakes.cdw


C:\System Volume Information\_restore{2A95F795-34D6-4232-8797-2A2FE9EA7109}\RP3\A0001389.exe/file14 Infected: Trojan-Clicker.Win32.Small.qo


C:\System Volume Information\_restore{2A95F795-34D6-4232-8797-2A2FE9EA7109}\RP3\A0001389.exe Inno: infected - 1



C:\QooBox\Quarantine\C\WINDOWS\qda.0xe.vir Infected: Trojan-Downloader.Win32.Agent.hmz


C:\QooBox\Quarantine\catchme2008-02-20_151048.64.zip/dmdlgsg.dll Infected: Trojan.Win32.Pakes.cdw


C:\QooBox\Quarantine\catchme2008-02-20_151048.64.zip ZIP: infected - 1


C:\New Folder\syspfpb.exe Infected: Trojan.Win32.Agent.drm


C:\Program Files\HijackThis\backups\backup-20071217-232641-969.0ll Infected: Trojan.Win32.Pakes.cdw

:\Program Files\HijackThis\backups\backup-20071217-232728-527.0ll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20071217-234716-710.0ll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20071219-070405-444.0ll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20071230-194341-780.0ll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20071230-204424-141.0ll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20080112-184011-282.dll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20080113-030900-770.dll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20080118-030803-166.dll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20080121-042927-124.dll Infected: Trojan.Win32.Pakes.cdw

C:\Program Files\HijackThis\backups\backup-20080213-173517-783.dll Infected: Trojan.Win32.Pakes.cdw



NEXT POST WILL BE THE FULL SCAN RESULTS!!!

[kahdah]

No need for the full scan results.
===================
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\Fonts\cenobyte.zip
  C:\WINDOWS\Fonts\Horrorfind_Fonts.zip
  C:\WINDOWS\system32\colbact.exe
  C:\WINDOWS\pss\Update_0711_KB060653.exe
  C:\New Folder\syspfpb.exe
  C:\Program Files\HijackThis\backups

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Post that log and a new Hijackthis log please.

Do this for the Disk Cleanup.

Click Here and and choose save.
Save this file to your C:\Windows\System32\folder.
Then try to run Disk Cleanup.

Let me know if that works please.

I am working on the other part.

Edited by kahdah, 23 February 2008 - 03:20 PM.