Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

redirect v3.m-feed.com and http://protect.trustedantivirus.com zheltay

Started by harpdiva_jflo , Mar 01 2008 07:15 PM

This topic is locked

#1
harpdiva_jflo

Posted 01 March 2008 - 07:15 PM

New Member

Member
8 posts

Hi there,

This is my first post to G2Go; many thanks in advance for your help. Will try to be as clear as I can.

On my system, Windows 2000 is infected with malware problems including:
1. IE6 browser redirects to Shopica.com via v3.m-feed.com and/or Jump
2. Google toolbar links to removed link
Please advise, thanks!

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:05 PM, on 3/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\antiviirus.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\DOCUME~1\Jill\LOCALS~1\Temp\jiCQlLUb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {421A6EDC-866D-F0CB-1267-8E8DBA23869B} - C:\WINNT\system32\vfphyjf.dll (file missing)
O2 - BHO: (no name) - {4611BDC0-0323-75DF-0266-5E00BDCFD89F} - C:\WINNT\system32\tsww.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9D17928D-A62A-4029-83A7-78B265B8684E} - C:\WINNT\system32\ssqrs.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {C9ECD921-6D99-1A33-B928-3A76156851C3} - C:\WINNT\system32\dmlukqb.dll (file missing)
O2 - BHO: RDL Rolex - {F2D6DA3F-061A-42FB-83E8-80FBDE005898} - C:\WINNT\dgtxrdfnfq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ekvgsnw - {27E82F45-2A53-4909-8462-206A43EC5359} - C:\DOCUME~1\Jill\LOCALS~1\Temp\ac8zt2\ekvgsnw.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O21 - SSODL: CheckComponent - {18278380-7a60-4561-9df9-1d41be8227e5} - C:\WINNT\Installer\{18278380-7a60-4561-9df9-1d41be8227e5}\CheckComponent.dll
O21 - SSODL: zip - {c1239b60-1cc0-4a35-85c7-f85e3539847f} - C:\WINNT\Installer\{c1239b60-1cc0-4a35-85c7-f85e3539847f}\zip.dll
O21 - SSODL: SetupService - {590a8a42-c535-4d85-ba65-e6dc2578dac7} - C:\WINNT\Installer\{590a8a42-c535-4d85-ba65-e6dc2578dac7}\SetupService.dll
O21 - SSODL: bxlrvps - {AA74E6F4-5630-4807-AEC8-57B9808F8B30} - C:\WINNT\bxlrvps.dll (file missing)
O21 - SSODL: alofkmn - {5C7C1EC0-D9FE-4E4F-961C-7668606E72CF} - C:\WINNT\alofkmn.dll
O21 - SSODL: WinAvp - {e14612ad-ac61-484e-aefa-018f16d07265} - C:\WINNT\Installer\{e14612ad-ac61-484e-aefa-018f16d07265}\WinAvp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O24 - Desktop Component 0: (no name) - http://images.kodakg...939403_0_SM.jpg

--
End of file - 7820 bytes

Edited by kahdah, 01 March 2008 - 07:44 PM.

#2
kahdah

Posted 01 March 2008 - 07:45 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello harpdiva_jflo

Welcome to G2Go.

=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

#3
harpdiva_jflo

Posted 01 March 2008 - 09:55 PM

New Member

Topic Starter
Member
8 posts

Thanks, kahdah. Please note that when I ran SDFix.exe, I got an error prompt: Cannot import assosfix.reg.

Should I rerun?

Here are the logs:

SDFix: Version 1.150

Run by Jill on Sat 03/01/2008 at 7:35p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting

Checking Files :

Trojan Files Found:

C:\WINNT\Installer\{18278380-7a60-4561-9df9-1d41be8227e5}\CheckComponent.dll - Deleted
C:\WINNT\Installer\{c1239b60-1cc0-4a35-85c7-f85e3539847f}\zip.dll - Deleted
C:\WINNT\Installer\{590a8a42-c535-4d85-ba65-e6dc2578dac7}\SetupService.dll - Deleted
C:\WINNT\Installer\{e14612ad-ac61-484e-aefa-018f16d07265}\WinAvp.dll - Deleted
C:\Program Files\tmp106609.exe - Deleted
C:\Program Files\tmp222031.exe - Deleted
C:\Program Files\tmp2553406.exe - Deleted
C:\Program Files\tmp259390.exe - Deleted
C:\Program Files\tmp35488359.exe - Deleted
C:\Program Files\tmp35586812.exe - Deleted
C:\Program Files\tmp385046.exe - Deleted
C:\Program Files\tmp79609.exe - Deleted
C:\Program Files\tmp82140.exe - Deleted
C:\Program Files\tmp86921.exe - Deleted
C:\Program Files\tmp87250.exe - Deleted
C:\WINNT\dgtxrdfnfq.dll - Deleted
C:\WINNT\dgtxrdfrnq.dll - Deleted
C:\WINNT\system32\TFTP1172 - Deleted
C:\DOCUME~1\Jill\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\WINNT\alofkmn.dll - Deleted
C:\WINNT\fkxvkns.exe - Deleted
C:\WINNT\rs.txt - Deleted

Folder C:\WINNT\Installer\{18278380-7a60-4561-9df9-1d41be8227e5} - Removed
Folder C:\WINNT\Installer\{c1239b60-1cc0-4a35-85c7-f85e3539847f} - Removed
Folder C:\WINNT\Installer\{590a8a42-c535-4d85-ba65-e6dc2578dac7} - Removed
Folder C:\WINNT\Installer\{e14612ad-ac61-484e-aefa-018f16d07265} - Removed
Folder C:\Program Files\WinPop - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 19:46:54
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 18 Jul 2006 1,032,070 ..SH. --- "C:\WINNT\system32\srqss.bak2"
Tue 11 Jul 2006 1,015,789 ..SH. --- "C:\WINNT\system32\srqss.bak1"
Wed 27 Mar 2002 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 9 Sep 2003 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Tue 9 Sep 2003 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sat 1 Mar 2008 22,614 ..SHR --- "C:\WINNT\Installer\{b46dcca4-fe73-42c9-a583-78373449c055}\zip.dll"
Fri 29 Feb 2008 22,646 ..SHR --- "C:\WINNT\Installer\{f8699d31-6aab-4be8-af8d-ffd1f2ed6c31}\zip.dll"
Mon 7 Jan 2002 36,352 ...H. --- "C:\Documents and Settings\Jill\Application Data\Microsoft\Word\~WRL0004.tmp"
Wed 30 Apr 2003 20,992 ...H. --- "C:\Documents and Settings\Jill\Application Data\Microsoft\Word\~WRL0570.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:28 PM, on 3/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\Jill\LOCALS~1\Temp\XxKOfJAp.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Jill\LOCALS~1\Temp\qTnsOFgQ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {421A6EDC-866D-F0CB-1267-8E8DBA23869B} - C:\WINNT\system32\vfphyjf.dll (file missing)
O2 - BHO: (no name) - {4611BDC0-0323-75DF-0266-5E00BDCFD89F} - C:\WINNT\system32\tsww.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9D17928D-A62A-4029-83A7-78B265B8684E} - C:\WINNT\system32\ssqrs.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {C9ECD921-6D99-1A33-B928-3A76156851C3} - C:\WINNT\system32\dmlukqb.dll (file missing)
O2 - BHO: RDL Rolex - {F2D6DA3F-061A-42FB-83E8-80FBDE005898} - C:\WINNT\dgtxrdfnfq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe

--
End of file - 6705 bytes

#4
kahdah

Posted 02 March 2008 - 08:08 AM

GeekU Teacher

Retired Staff
15,822 posts

Ok that is fine

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5
harpdiva_jflo

Posted 03 March 2008 - 04:12 AM

New Member

Topic Starter
Member
8 posts

OK, done! Please advise next steps, thanks very much.

Here's the Combo Fix log:

ComboFix 08-03-03.6 - Jill 03/03/2008 1:51:23.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.296 [GMT -8:00]
Running from: C:\Documents and Settings\Jill\Local Settings\Temporary Internet Files\Content.IE5\UDUTKZIH\ComboFix[1].exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1.tmp
C:\3.tmp
C:\5.tmp
C:\WINNT\system32\mcrh.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\nm

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 01:55 . 16,384 C:\WINNT\system32\Perflib_Perfdata_3d8.dat
2008-03-03 01:55 . 08-03-03 01:55 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_224.dat
2008-03-03 01:20 . 08-03-03 01:20 16,512 --a------ C:\Program Files\tmp131921.exe
2008-03-02 02:49 . 08-03-02 02:49 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-02 02:49 . 08-03-02 02:49 1,409 --a------ C:\WINNT\QTFont.for
2008-03-01 19:54 . 08-03-01 19:54 16,548 --a------ C:\Program Files\tmp458078.exe
2008-03-01 19:31 . 08-03-01 19:32 <DIR> d-------- C:\WINNT\ERUNT
2008-03-01 19:25 . 08-03-01 19:51 <DIR> d-------- C:\SDFix
2008-03-01 16:39 . 08-03-01 16:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 16:37 . 08-03-01 16:37 <DIR> d-------- C:\Documents and Settings\Jill\Application Data\TrojanHunter
2008-03-01 15:33 . 08-03-01 15:38 <DIR> d-------- C:\fixwareout
2008-03-01 14:50 . 08-03-01 14:51 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-03-01 02:50 . 08-03-01 02:49 691,545 --a------ C:\WINNT\unins000.exe
2008-03-01 02:50 . 08-03-01 02:50 2,542 --a------ C:\WINNT\unins000.dat
2008-03-01 01:33 . 08-03-01 01:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-03-01 01:32 . 08-03-01 01:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 18:56 . 08-03-01 00:52 35,592 --a------ C:\Program Files\instaler.exe
2008-02-29 18:56 . 08-02-29 18:57 11,992 --a------ C:\Program Files\antiviirus.exe
2008-02-18 21:27 . 08-02-18 21:27 <DIR> d-------- C:\Program Files\AOL Search
2008-02-18 21:27 . 08-02-18 21:27 <DIR> d-------- C:\Documents and Settings\Jill\Application Data\acccore
2008-02-18 21:26 . 08-02-18 21:26 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-02-18 21:26 . 08-02-18 21:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2008-02-18 21:26 . 08-02-18 21:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2008-02-13 13:09 . 07-12-10 13:12 587,776 --a------ C:\WINNT\system32\WININET.DLL
2008-02-12 11:56 . 08-02-28 16:29 <DIR> d-------- C:\Program Files\AIM6
2008-02-12 11:54 . 08-02-12 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2008-02-12 11:54 . 08-02-28 16:29 1,915 --ah----- C:\IPH.PH
2008-02-12 11:54 . 08-02-12 11:54 29 --a------ C:\WINNT\atid.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 09:56 --------- d-----w C:\Program Files\Plaxo
2008-03-01 10:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-01 10:51 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-01 09:34 --------- d-----w C:\Program Files\Lavasoft
2008-03-01 09:34 --------- d-----w C:\Documents and Settings\Jill\Application Data\Lavasoft
2008-03-01 03:41 --------- d---a-w C:\Program Files\ewido anti-spyware 4.0
2008-03-01 03:00 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-02-12 19:54 --------- d-----w C:\Program Files\AIM
2008-01-14 08:25 --------- d-----w C:\Program Files\Common Files\Cloudmark
2008-01-14 08:25 --------- d-----w C:\Documents and Settings\Jill\Application Data\Cloudmark
2001-10-18 09:02 271 -c-h--w C:\Program Files\desktop.ini
2001-10-18 09:02 21,952 -c-h--w C:\Program Files\folder.htt
2006-07-11 09:36 1,015,789 -csh--w C:\WINNT\system32\srqss.bak1
2006-07-19 00:46 1,032,070 -csh--w C:\WINNT\system32\srqss.bak2
.

------- Sigcheck -------

9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\svchost.exe
----a-w 7,952 1999-12-07 12:00:00 C:\WINNT\system32\svchost.exe
-c--a-w 7,952 1999-12-07 12:00:00 C:\WINNT\system32\dllcache\svchost.exe

40023a7103796b1af6ca41a6dbc54775 C:\WINNT\system32\user32.dll
-c----w 402,192 2001-10-30 12:57:00 C:\WINNT\$NtServicePackUninstall$\user32.dll
-c----w 403,216 2003-06-19 19:05:04 C:\WINNT\$NtUninstallKB835732$\user32.dll
-c----w 380,688 2004-12-29 09:14:10 C:\WINNT\$NtUninstallKB890859$\user32.dll
-c----w 403,216 2004-03-24 02:17:00 C:\WINNT\$NtUninstallKB891711$\user32.dll
-c----w 419,600 2005-04-21 08:08:44 C:\WINNT\$NtUninstallKB925902$\user32.dll
-c----w 402,192 2001-05-04 19:05:02 C:\WINNT\$NtUninstallSP2SRP1$\user32.dll
-c----w 380,688 2005-03-12 07:54:53 C:\WINNT\$NtUpdateRollupPackUninstall$\user32.dll
-c----w 403,216 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\user32.dll
----a-w 381,200 2007-03-06 11:17:48 C:\WINNT\system32\USER32.DLL
-c--a-w 381,200 2007-03-06 11:17:48 C:\WINNT\system32\dllcache\USER32.DLL

0190c62de42396d78db9be771cf2403e C:\WINNT\system32\ws2_32.dll
-c----w 69,392 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\ws2_32.dll
-c----w 69,904 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\ws2_32.dll
----a-w 69,904 2003-06-19 19:05:04 C:\WINNT\system32\ws2_32.dll

bb1daf6a5737652646d52665251a0265 C:\WINNT\system32\winlogon.exe
-c----w 178,448 2001-10-30 12:57:00 C:\WINNT\$NtServicePackUninstall$\winlogon.exe
-c----w 181,008 2003-06-19 19:05:04 C:\WINNT\$NtUninstallKB835732$\winlogon.exe
-c----w 181,520 2004-03-11 02:37:53 C:\WINNT\$NtUninstallKB840987$\winlogon.exe
-c----w 182,544 2004-08-24 22:59:09 C:\WINNT\$NtUninstallKB841533$\winlogon.exe
-c----w 177,936 2001-05-04 19:05:02 C:\WINNT\$NtUninstallQ285851$\winlogon.exe
-c----w 178,960 2001-05-29 16:41:36 C:\WINNT\$NtUninstallSP2SRP1$\winlogon.exe
-c----w 182,544 2004-08-24 22:59:09 C:\WINNT\$NtUpdateRollupPackUninstall$\winlogon.exe
-c----w 181,008 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\winlogon.exe
----a-w 186,640 2005-04-08 11:51:16 C:\WINNT\system32\WINLOGON.EXE
-c----w 186,640 2005-04-08 11:51:16 C:\WINNT\system32\dllcache\WINLOGON.EXE

fb4f2d0595bd3546a4dd915e4a9b4809 C:\WINNT\system32\drivers\ndis.sys
-c----w 163,120 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\ndis.sys
-c----w 170,928 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\ndis.sys
-c--a-w 170,928 2003-06-19 19:05:04 C:\WINNT\system32\drivers\ndis.sys

d63ccca44ab92d8b819054e2af6202ae C:\WINNT\system32\ntkrnlpa.exe
-c----w 1,684,672 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\ntkrnlpa.exe
-c----w 1,694,080 2003-06-19 19:05:04 C:\WINNT\$NtUninstallKB835732$\ntkrnlpa.exe
-c----w 1,699,264 2004-02-25 23:55:48 C:\WINNT\$NtUninstallKB885835$\ntkrnlpa.exe
-c----w 1,704,320 2004-10-21 03:56:06 C:\WINNT\$NtUninstallKB890859$\ntkrnlpa.exe
-c----w 1,713,280 2005-05-06 11:45:34 C:\WINNT\$NtUninstallKB908523$\ntkrnlpa.exe
-c----w 1,713,600 2005-10-06 09:20:58 C:\WINNT\$NtUninstallKB920958$\ntkrnlpa.exe
-c----w 1,713,536 2006-09-12 11:48:34 C:\WINNT\$NtUninstallKB931784$\ntkrnlpa.exe
-c----w 1,713,280 2005-03-02 09:49:08 C:\WINNT\$NtUpdateRollupPackUninstall$\ntkrnlpa.exe
----a-w 1,713,536 2007-03-05 15:52:06 C:\WINNT\Driver Cache\i386\ntkrnlpa.exe
-c----w 1,694,080 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\ntkrnlpa.exe
----a-w 1,713,536 2007-03-05 15:52:06 C:\WINNT\system32\NTKRNLPA.EXE
-c--a-w 1,713,536 2007-03-05 15:52:06 C:\WINNT\system32\dllcache\ntkrnlpa.exe

a9b95a62c4f298aadd3bec2fdf49fcbe C:\WINNT\system32\ntoskrnl.exe
-c----w 1,713,232 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\ntoskrnl.exe
-c----w 1,719,056 2003-06-19 19:05:04 C:\WINNT\$NtUninstallKB835732$\ntoskrnl.exe
-c----w 1,726,032 2004-03-11 02:37:30 C:\WINNT\$NtUninstallKB885835$\ntoskrnl.exe
-c----w 1,681,408 2004-10-21 03:55:47 C:\WINNT\$NtUninstallKB890859$\ntoskrnl.exe
-c----w 1,690,432 2005-05-06 11:45:12 C:\WINNT\$NtUninstallKB908523$\ntoskrnl.exe
-c----w 1,691,008 2005-10-06 09:20:35 C:\WINNT\$NtUninstallKB920958$\ntoskrnl.exe
-c----w 1,690,880 2006-09-12 11:48:11 C:\WINNT\$NtUninstallKB931784$\ntoskrnl.exe
-c----w 1,690,496 2005-03-02 09:48:19 C:\WINNT\$NtUpdateRollupPackUninstall$\ntoskrnl.exe
----a-w 1,690,880 2007-03-05 15:51:49 C:\WINNT\Driver Cache\i386\ntoskrnl.exe
-c----w 1,719,056 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\ntoskrnl.exe
----a-w 1,690,880 2007-03-05 15:51:49 C:\WINNT\system32\NTOSKRNL.EXE
-c--a-w 1,690,880 2007-03-05 15:51:49 C:\WINNT\system32\dllcache\ntoskrnl.exe

59cf2b7dced9111f48f51b4b570e672d C:\WINNT\explorer.exe
----a-w 243,472 2003-06-19 19:05:04 C:\WINNT\explorer.exe
-c----w 242,960 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\explorer.exe
------w 243,472 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{421A6EDC-866D-F0CB-1267-8E8DBA23869B}]
C:\WINNT\system32\vfphyjf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4611BDC0-0323-75DF-0266-5E00BDCFD89F}]
C:\WINNT\system32\tsww.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D17928D-A62A-4029-83A7-78B265B8684E}]
C:\WINNT\system32\ssqrs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9ECD921-6D99-1A33-B928-3A76156851C3}]
C:\WINNT\system32\dmlukqb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2D6DA3F-061A-42FB-83E8-80FBDE005898}]
C:\WINNT\dgtxrdfnfq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\tapisevo]
@={82363210-4AE9-BB9F-A084-F617FCBD675D}

[HKEY_CLASSES_ROOT\CLSID\{82363210-4AE9-BB9F-A084-F617FCBD675D}]
C:\WINNT\system32\tapisevo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe" [08-01-31 13:41 283719]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-10-17 00:39 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 15:45 313472]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 C:\WINNT\system32\mobsync.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-12-04 05:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 00:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-09-12 00:58 229952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-12-11 01:20 282624]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [ ]
"antiviirus"="C:\Program Files\antiviirus.exe" [08-02-29 18:57 11992]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [08-02-08 11:22 1047712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

R1 ATMhelpr;ATMhelpr;C:\WINNT\system32\drivers\ATMhelpr.sys [97-06-17 04:00 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-12-04 06:56 ]
R2 PPPoEService;PPPoE Service;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe [00-07-11 09:48 ]
R3 l100;Linksys LNE100TX Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\Lne100tx.sys [00-02-05 14:36 ]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;C:\WINNT\system32\DRIVERS\ntspppoe.sys [00-11-27 09:56 ]
R3 nv3;nv3;C:\WINNT\system32\DRIVERS\nv3.sys [99-10-27 07:21 ]
S3 ENIMSR;ENIMSR;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\ENIMSR.SYS [00-11-17 09:18 ]
S3 NTSTAP1;NTSTAP1;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\NTSTAP1.SYS [01-02-15 16:12 ]
S3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\RAWESR.SYS [00-10-13 13:41 ]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\TAPBIND1.SYS [01-02-15 16:13 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 01:56:26
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-03 1:59:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 09:59:40
.
2008-02-14 04:09:17 --- E O F ---

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:02 AM, on 3/3/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\antiviirus.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\Jill\LOCALS~1\Temp\XYG2iLec.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {421A6EDC-866D-F0CB-1267-8E8DBA23869B} - C:\WINNT\system32\vfphyjf.dll (file missing)
O2 - BHO: (no name) - {4611BDC0-0323-75DF-0266-5E00BDCFD89F} - C:\WINNT\system32\tsww.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9D17928D-A62A-4029-83A7-78B265B8684E} - C:\WINNT\system32\ssqrs.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {C9ECD921-6D99-1A33-B928-3A76156851C3} - C:\WINNT\system32\dmlukqb.dll (file missing)
O2 - BHO: RDL Rolex - {F2D6DA3F-061A-42FB-83E8-80FBDE005898} - C:\WINNT\dgtxrdfnfq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe

--
End of file - 6660 bytes

#6
kahdah

Posted 03 March 2008 - 07:49 PM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\tmp131921.exe
C:\Program Files\tmp458078.exe
C:\Program Files\instaler.exe
C:\Program Files\antiviirus.exe
C:\WINNT\system32\srqss.bak1
C:\WINNT\system32\srqss.bak2
C:\WINNT\system32\vfphyjf.dll
C:\WINNT\system32\tsww.dll
C:\WINNT\system32\ssqrs.dll
C:\WINNT\system32\dmlukqb.dll
C:\WINNT\system32\tapisevo.dll
Folder::
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{421A6EDC-866D-F0CB-1267-8E8DBA23869B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4611BDC0-0323-75DF-0266-5E00BDCFD89F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D17928D-A62A-4029-83A7-78B265B8684E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9ECD921-6D99-1A33-B928-3A76156851C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2D6DA3F-061A-42FB-83E8-80FBDE005898}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\tapisevo]
[-HKEY_CLASSES_ROOT\CLSID\{82363210-4AE9-BB9F-A084-F617FCBD675D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"antiviirus"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#7
harpdiva_jflo

Posted 03 March 2008 - 08:56 PM

New Member

Topic Starter
Member
8 posts

Thanks again. OK, here are the new logs:

ComboFix 08-03-04.1 - Jill 03/03/2008 18:52:42.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.326 [GMT -8:00]
Running from: C:\Documents and Settings\Jill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jill\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\antiviirus.exe
C:\Program Files\instaler.exe
C:\Program Files\tmp131921.exe
C:\Program Files\tmp458078.exe
C:\WINNT\system32\dmlukqb.dll
C:\WINNT\system32\srqss.bak1
C:\WINNT\system32\srqss.bak2
C:\WINNT\system32\ssqrs.dll
C:\WINNT\system32\tapisevo.dll
C:\WINNT\system32\tsww.dll
C:\WINNT\system32\vfphyjf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
C:\Program Files\antiviirus.exe
C:\Program Files\instaler.exe
C:\Program Files\tmp131921.exe
C:\Program Files\tmp458078.exe
C:\WINNT\system32\srqss.bak1
C:\WINNT\system32\srqss.bak2

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 18:52 . 03/03/08 06:52p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_304.dat
2008-03-03 16:55 . 03/03/08 04:55p 16,556 --a------ C:\Program Files\tmp118437.exe
2008-03-03 16:50 . 03/03/08 04:50p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_21c.dat
2008-03-03 02:01 . 03/03/08 02:01a 16,512 --a------ C:\Program Files\tmp111968.exe
2008-03-03 01:55 . 03/03/08 01:55a 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_224.dat
2008-03-01 19:31 . 03/01/08 07:32p <DIR> d-------- C:\WINNT\ERUNT
2008-03-01 19:25 . 03/01/08 07:51p <DIR> d-------- C:\SDFix
2008-03-01 16:39 . 03/01/08 04:39p <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 16:37 . 03/01/08 04:37p <DIR> d-------- C:\Documents and Settings\Jill\Application Data\TrojanHunter
2008-03-01 15:33 . 03/01/08 03:38p <DIR> d-------- C:\fixwareout
2008-03-01 14:50 . 03/01/08 02:51p <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-03-01 02:50 . 03/01/08 02:49a 691,545 --a------ C:\WINNT\unins000.exe
2008-03-01 02:50 . 03/01/08 02:50a 2,542 --a------ C:\WINNT\unins000.dat
2008-03-01 01:33 . 03/01/08 01:34a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-01 01:32 . 03/01/08 01:32a <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 21:27 . 02/18/08 09:27p <DIR> d-------- C:\Program Files\AOL Search
2008-02-18 21:27 . 02/18/08 09:27p <DIR> d-------- C:\Documents and Settings\Jill\Application Data\acccore
2008-02-18 21:26 . 02/18/08 09:26p <DIR> d-------- C:\Program Files\Common Files\AOL
2008-02-18 21:26 . 02/18/08 09:26p <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-18 21:26 . 02/18/08 09:26p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-02-13 13:09 . 12/10/07 01:12p 587,776 --a------ C:\WINNT\system32\WININET.DLL
2008-02-12 11:56 . 02/28/08 04:29p <DIR> d-------- C:\Program Files\AIM6
2008-02-12 11:54 . 02/12/08 11:56a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-12 11:54 . 02/28/08 04:29p 1,915 --ah----- C:\IPH.PH
2008-02-12 11:54 . 02/12/08 11:54a 29 --a------ C:\WINNT\atid.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 00:52 --------- d-----w C:\Program Files\Plaxo
2008-03-01 10:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-01 10:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 09:34 --------- d-----w C:\Program Files\Lavasoft
2008-03-01 09:34 --------- d-----w C:\Documents and Settings\Jill\Application Data\Lavasoft
2008-03-01 03:41 --------- d---a-w C:\Program Files\ewido anti-spyware 4.0
2008-02-12 19:54 --------- d-----w C:\Program Files\AIM
2008-01-14 08:25 --------- d-----w C:\Program Files\Common Files\Cloudmark
2008-01-14 08:25 --------- d-----w C:\Documents and Settings\Jill\Application Data\Cloudmark
2007-12-14 19:32 12,632 ----a-w C:\WINNT\system32\lsdelete.exe
2007-12-05 10:40 631,056 ----a-w C:\WINNT\system32\OLEAUT32.DLL
2007-12-04 13:04 837,496 ----a-w C:\WINNT\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINNT\system32\AVASTSS.scr
2001-10-18 09:02 271 -c-h--w C:\Program Files\desktop.ini
2001-10-18 09:02 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\svchost.exe
----a-w 7,952 1999-12-07 12:00:00 C:\WINNT\system32\svchost.exe
-c--a-w 7,952 1999-12-07 12:00:00 C:\WINNT\system32\dllcache\svchost.exe

40023a7103796b1af6ca41a6dbc54775 C:\WINNT\system32\user32.dll
-c----w 402,192 2001-10-30 12:57:00 C:\WINNT\$NtServicePackUninstall$\user32.dll
-c----w 403,216 2003-06-19 19:05:04 C:\WINNT\$NtUninstallKB835732$\user32.dll
-c----w 380,688 2004-12-29 09:14:10 C:\WINNT\$NtUninstallKB890859$\user32.dll
-c----w 403,216 2004-03-24 02:17:00 C:\WINNT\$NtUninstallKB891711$\user32.dll
-c----w 419,600 2005-04-21 08:08:44 C:\WINNT\$NtUninstallKB925902$\user32.dll
-c----w 402,192 2001-05-04 19:05:02 C:\WINNT\$NtUninstallSP2SRP1$\user32.dll
-c----w 380,688 2005-03-12 07:54:53 C:\WINNT\$NtUpdateRollupPackUninstall$\user32.dll
-c----w 403,216 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\user32.dll
----a-w 381,200 2007-03-06 11:17:48 C:\WINNT\system32\USER32.DLL
-c--a-w 381,200 2007-03-06 11:17:48 C:\WINNT\system32\dllcache\USER32.DLL

0190c62de42396d78db9be771cf2403e C:\WINNT\system32\ws2_32.dll
-c----w 69,392 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\ws2_32.dll
-c----w 69,904 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\ws2_32.dll
----a-w 69,904 2003-06-19 19:05:04 C:\WINNT\system32\ws2_32.dll

bb1daf6a5737652646d52665251a0265 C:\WINNT\system32\winlogon.exe
-c----w 178,448 2001-10-30 12:57:00 C:\WINNT\$NtServicePackUninstall$\winlogon.exe
-c----w 181,008 2003-06-19 19:05:04 C:\WINNT\$NtUninstallKB835732$\winlogon.exe
-c----w 181,520 2004-03-11 02:37:53 C:\WINNT\$NtUninstallKB840987$\winlogon.exe
-c----w 182,544 2004-08-24 22:59:09 C:\WINNT\$NtUninstallKB841533$\winlogon.exe
-c----w 177,936 2001-05-04 19:05:02 C:\WINNT\$NtUninstallQ285851$\winlogon.exe
-c----w 178,960 2001-05-29 16:41:36 C:\WINNT\$NtUninstallSP2SRP1$\winlogon.exe
-c----w 182,544 2004-08-24 22:59:09 C:\WINNT\$NtUpdateRollupPackUninstall$\winlogon.exe
-c----w 181,008 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\winlogon.exe
----a-w 186,640 2005-04-08 11:51:16 C:\WINNT\system32\WINLOGON.EXE
-c----w 186,640 2005-04-08 11:51:16 C:\WINNT\system32\dllcache\WINLOGON.EXE

fb4f2d0595bd3546a4dd915e4a9b4809 C:\WINNT\system32\drivers\ndis.sys
-c----w 163,120 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\ndis.sys
-c----w 170,928 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\ndis.sys
-c--a-w 170,928 2003-06-19 19:05:04 C:\WINNT\system32\drivers\ndis.sys

d63ccca44ab92d8b819054e2af6202ae C:\WINNT\system32\ntkrnlpa.exe
-c----w 1,684,672 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\ntkrnlpa.exe
-c----w 1,694,080 2003-06-19 19:05:04 C:\WINNT\$NtUninstallKB835732$\ntkrnlpa.exe
-c----w 1,699,264 2004-02-25 23:55:48 C:\WINNT\$NtUninstallKB885835$\ntkrnlpa.exe
-c----w 1,704,320 2004-10-21 03:56:06 C:\WINNT\$NtUninstallKB890859$\ntkrnlpa.exe
-c----w 1,713,280 2005-05-06 11:45:34 C:\WINNT\$NtUninstallKB908523$\ntkrnlpa.exe
-c----w 1,713,600 2005-10-06 09:20:58 C:\WINNT\$NtUninstallKB920958$\ntkrnlpa.exe
-c----w 1,713,536 2006-09-12 11:48:34 C:\WINNT\$NtUninstallKB931784$\ntkrnlpa.exe
-c----w 1,713,280 2005-03-02 09:49:08 C:\WINNT\$NtUpdateRollupPackUninstall$\ntkrnlpa.exe
----a-w 1,713,536 2007-03-05 15:52:06 C:\WINNT\Driver Cache\i386\ntkrnlpa.exe
-c----w 1,694,080 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\ntkrnlpa.exe
----a-w 1,713,536 2007-03-05 15:52:06 C:\WINNT\system32\NTKRNLPA.EXE
-c--a-w 1,713,536 2007-03-05 15:52:06 C:\WINNT\system32\dllcache\ntkrnlpa.exe

a9b95a62c4f298aadd3bec2fdf49fcbe C:\WINNT\system32\ntoskrnl.exe
-c----w 1,713,232 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\ntoskrnl.exe
-c----w 1,719,056 2003-06-19 19:05:04 C:\WINNT\$NtUninstallKB835732$\ntoskrnl.exe
-c----w 1,726,032 2004-03-11 02:37:30 C:\WINNT\$NtUninstallKB885835$\ntoskrnl.exe
-c----w 1,681,408 2004-10-21 03:55:47 C:\WINNT\$NtUninstallKB890859$\ntoskrnl.exe
-c----w 1,690,432 2005-05-06 11:45:12 C:\WINNT\$NtUninstallKB908523$\ntoskrnl.exe
-c----w 1,691,008 2005-10-06 09:20:35 C:\WINNT\$NtUninstallKB920958$\ntoskrnl.exe
-c----w 1,690,880 2006-09-12 11:48:11 C:\WINNT\$NtUninstallKB931784$\ntoskrnl.exe
-c----w 1,690,496 2005-03-02 09:48:19 C:\WINNT\$NtUpdateRollupPackUninstall$\ntoskrnl.exe
----a-w 1,690,880 2007-03-05 15:51:49 C:\WINNT\Driver Cache\i386\ntoskrnl.exe
-c----w 1,719,056 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\ntoskrnl.exe
----a-w 1,690,880 2007-03-05 15:51:49 C:\WINNT\system32\NTOSKRNL.EXE
-c--a-w 1,690,880 2007-03-05 15:51:49 C:\WINNT\system32\dllcache\ntoskrnl.exe

59cf2b7dced9111f48f51b4b570e672d C:\WINNT\explorer.exe
----a-w 243,472 2003-06-19 19:05:04 C:\WINNT\explorer.exe
-c----w 242,960 2001-05-04 19:05:02 C:\WINNT\$NtServicePackUninstall$\explorer.exe
------w 243,472 2003-06-19 19:05:04 C:\WINNT\ServicePackFiles\i386\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe" [01/31/08 01:41p 283719]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/17/07 12:39a 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/06 03:45p 313472]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 11:05a 111376 C:\WINNT\system32\mobsync.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/07 05:00a 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/07 12:11a 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/12/06 12:58a 229952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/06 01:20a 282624]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [ ]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [02/08/08 11:22a 1047712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 11:05a 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

R1 ATMhelpr;ATMhelpr;C:\WINNT\system32\drivers\ATMhelpr.sys [06/17/97 04:00a]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [12/04/07 06:56a]
R2 PPPoEService;PPPoE Service;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe [07/11/00 09:48a]
R3 l100;Linksys LNE100TX Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\Lne100tx.sys [02/05/00 02:36p]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;C:\WINNT\system32\DRIVERS\ntspppoe.sys [11/27/00 09:56a]
R3 NTSTAP1;NTSTAP1;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\NTSTAP1.SYS [02/15/01 04:12p]
R3 nv3;nv3;C:\WINNT\system32\DRIVERS\nv3.sys [10/27/99 07:21a]
R3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\TAPBIND1.SYS [02/15/01 04:13p]
S3 ENIMSR;ENIMSR;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\ENIMSR.SYS [11/17/00 09:18a]
S3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\RAWESR.SYS [10/13/00 01:41p]

.
Contents of the 'Scheduled Tasks' folder
"2006-09-15 09:58:36 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 18:54:11
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 03/03/2008 18:55:07
ComboFix-quarantined-files.txt 2008-03-04 02:54:52
ComboFix2.txt 2008-03-03 09:59:44
.
2008-02-14 04:09:17 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:47 PM, on 3/3/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\DOCUME~1\Jill\LOCALS~1\Temp\Vg9I0rFz.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe

--
End of file - 6317 bytes

#8
kahdah

Posted 03 March 2008 - 09:07 PM

GeekU Teacher

Retired Staff
15,822 posts

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\Program Files\tmp118437.exe
C:\Program Files\tmp111968.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================
Then :
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

#9
harpdiva_jflo

Posted 03 March 2008 - 10:12 PM

New Member

Topic Starter
Member
8 posts

Hi again, I followed your last instructions. Here are the logs.

OTMoveIt:

C:\Program Files\tmp118437.exe moved successfully.
C:\Program Files\tmp111968.exe moved successfully.

OTMoveIt2 v1.0.20 log created on 03032008_193514

Malwarebytes' Anti-Malware 1.05
Database version: 447

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 61824
Time elapsed: 21 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\1.tmp.vir (Adware.Purityscan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\5.tmp.vir (Adware.Purityscan) -> Quarantined and deleted successfully.

#10
kahdah

Posted 04 March 2008 - 02:51 AM

GeekU Teacher

Retired Staff
15,822 posts

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

#11
harpdiva_jflo

Posted 04 March 2008 - 05:24 AM

New Member

Topic Starter
Member
8 posts

Hi again. Activescan report:

Incident Status Location

Adware:adware/sidestep Not disinfected c:\winnt\downloaded program files\SbCIe01f.dll
Adware:adware/clickalchemy Not disinfected c:\winnt\inf\alchem.inf
Adware:adware/ncase Not disinfected c:\winnt\didduid.ini
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Jill\Application Data\Lycos
Potentially unwanted tool:application/sysprotect Not disinfected hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL
Adware:adware/savenow Not disinfected Windows Registry
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0[Gummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0[Worker.class]
Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0[web.exe]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff[Gummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff[Worker.class]
Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff[web.exe]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip[Gummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip[Worker.class]
Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip[web.exe]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip[Gummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip[Worker.class]
Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip[web.exe]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Jill\Cookies\jill@azjmp[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jill\Cookies\jill@com[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jill\Cookies\jill@com[2].txt
Spyware:Cookie/Pollstar Not disinfected C:\Documents and Settings\Jill\Cookies\jill@pollstar[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jill\Cookies\jill@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jill\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jill\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jill\My Documents\Spyware Tools\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Adware:Adware/Adband Not disinfected C:\QooBox\Quarantine\C\3.tmp.vir
Virus:Generic Malware Disinfected C:\RECYCLER\NPROTECT\00000037.EXE
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Possible Virus. Not disinfected C:\WINNT\Installer\{b46dcca4-fe73-42c9-a583-78373449c055}\zip.dll
Possible Virus. Not disinfected C:\WINNT\Installer\{f8699d31-6aab-4be8-af8d-ffd1f2ed6c31}\zip.dll
Virus:W97M/Class.B Disinfected Personal Folders\Inbox\Opened Mail\FW: Proposal: "Hip Hop For Dummies"\ProposalGuide.doc
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\RE: Dont wait for long time !
Virus:W32/Gaobot.IH.worm Disinfected Archive Folders\Sent Items\soundman\soundman.exe

#12
kahdah

Posted 04 March 2008 - 07:38 PM

GeekU Teacher

Retired Staff
15,822 posts

Make sure that you paste the following file paths under the yellow bar within the OTMoveit2 program or it will not work correctly.
===================================================

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

c:\winnt\downloaded program files\SbCIe01f.dll 
c:\winnt\inf\alchem.inf 
c:\winnt\didduid.ini 
C:\Documents and Settings\Jill\Application Data\Lycos 
hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL 
C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0
C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff
C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip
C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip
C:\Documents and Settings\Jill\My Documents\Spyware Tools\SDFix.exe
C:\fixwareout
C:\SDFix
C:\WINNT\Installer\{b46dcca4-fe73-42c9-a583-78373449c055}
C:\WINNT\Installer\{f8699d31-6aab-4be8-af8d-ffd1f2ed6c31}

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

====================
Post that log and a new Hijackthis log and let me know how things are running?

#13
harpdiva_jflo

Posted 05 March 2008 - 02:05 AM

New Member

Topic Starter
Member
8 posts

Hi again,

Here are the latest logs. Things have been running much better, thank you!

OTMoveIt2:

[Custom Input]
< c:\winnt\downloaded program files\SbCIe01f.dll >
c:\winnt\downloaded program files\SbCIe01f.dll unregistered successfully.
c:\winnt\downloaded program files\SbCIe01f.dll moved successfully.
< c:\winnt\inf\alchem.inf >
c:\winnt\inf\alchem.inf moved successfully.
< c:\winnt\didduid.ini >
c:\winnt\didduid.ini moved successfully.
< C:\Documents and Settings\Jill\Application Data\Lycos >
C:\Documents and Settings\Jill\Application Data\Lycos moved successfully.
< hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL >
Registry key hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL\\ deleted successfully.
< C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0 >
C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\13\5cfa590d-48f1c5d0 moved successfully.
< C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff >
C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\6.0\7\43b56787-23c43cff moved successfully.
< C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip >
C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-3e5608d0-5cfe6266.zip moved successfully.
< C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip >
C:\Documents and Settings\Jill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-56274691-63846f6b.zip moved successfully.
< C:\Documents and Settings\Jill\My Documents\Spyware Tools\SDFix.exe >
C:\Documents and Settings\Jill\My Documents\Spyware Tools\SDFix.exe moved successfully.
< C:\fixwareout >
C:\fixwareout\FindT moved successfully.
C:\fixwareout moved successfully.
< C:\SDFix >
C:\SDFix\backups moved successfully.
C:\SDFix\apps\Replace\xp moved successfully.
C:\SDFix\apps\Replace\w2k moved successfully.
C:\SDFix\apps\Replace moved successfully.
C:\SDFix\apps moved successfully.
C:\SDFix moved successfully.
< C:\WINNT\Installer\{b46dcca4-fe73-42c9-a583-78373449c055} >
C:\WINNT\Installer\{b46dcca4-fe73-42c9-a583-78373449c055} moved successfully.
< C:\WINNT\Installer\{f8699d31-6aab-4be8-af8d-ffd1f2ed6c31} >
C:\WINNT\Installer\{f8699d31-6aab-4be8-af8d-ffd1f2ed6c31} moved successfully.

OTMoveIt2 v1.0.20 log created on 03052008_000516

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:31 AM, on 3/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe

--
End of file - 6355 bytes

#14
kahdah

Posted 05 March 2008 - 02:54 AM

GeekU Teacher

Retired Staff
15,822 posts

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK

The above procedure will delete and do the following:

ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
============================================
After that Your log is clean.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here