TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Society_Sucker on July 30, 2007, 04:36:23 PM

Title: Infected Winlogon.exe and Svchost.exe
Post by: Society_Sucker on July 30, 2007, 04:36:23 PM

I once turned my firewall of for just few moment, not more than 3 minutes, and immediately got some nasty infections from LAN network(my ISP is horrible, but i dont have much choices where i live). I was able to get rid of most of them, but i couldnt clean then infections that used winlogon.exe and svchost.exe. I successfully prevented from dysplaying IE pop-up windows and making new inftected files, but my PC is still running slower than usual.
 
 So here is my Hijackthis Log :
 
 Logfile of Trend Micro HijackThis v2.0.2
 Scan saved at 23:29:19, on 30.7.2007
 Platform: Windows XP SP1 (WinNT 5.01.2600)
 MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 Boot mode: Normal
 
 Running processes:
 C:\WINDOWS\System32\smss.exe
 C:\WINDOWS\system32\winlogon.exe
 C:\WINDOWS\system32\services.exe
 C:\WINDOWS\system32\lsass.exe
 C:\WINDOWS\system32\svchost.exe
 C:\WINDOWS\System32\svchost.exe
 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 C:\WINDOWS\system32\spoolsv.exe
 D:\Eset\nod32krn.exe
 C:\WINDOWS\System32\svchost.exe
 C:\WINDOWS\Explorer.EXE
 D:\Eset\nod32kui.exe
 D:\ZoneAlarm\zlclient.exe
 C:\WINDOWS\System32\ctfmon.exe
 D:\FlashGet\flashget.exe
 D:\Winamp\winamp.exe
 C:\WINDOWS\system32\NOTEPAD.EXE
 D:\Mozilla\mozilla.exe
 D:\FlashFXP_v3.4.1.1173\FlashFXP v3.4.1.1173\FlashFXP.exe
 C:\WINDOWS\system32\NOTEPAD.EXE
 E:\HijackThis\HijackThis.exe
 
 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
 O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FlashGet\getflash.dll
 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
 O4 - HKLM\..\Run: [SpywareTerminator] "D:\SPYWAR~1\SpywareTerminatorShield.exe"
 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
 O4 - HKLM\..\Run: [nod32kui] "D:\Eset\nod32kui.exe" /WAITSERVICE
 O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
 O4 - HKLM\..\Run: [HP Software Update] "E:\HP\HP Software Update\HPWuSchd2.exe"
 O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Acrobat Reader 8\Reader\Reader_sl.exe"
 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
 O4 - HKLM\..\Run: [SpySweeper] "D:\Spy Sweeper\SpySweeperUI.exe"  /startintray
 O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
 O4 - HKLM\..\Run: [!ewido] "D:\ewido anti-spyware 4.0\ewido.exe" /minimized
 O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\ZoneAlarm\zlclient.exe"
 O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
 O4 - HKCU\..\Run: [Steam] "E:\Steam\Steam.exe" -silent
 O4 - HKCU\..\Run: [BlazeServoTool] "D:\BlazeDVD 5 Professional\MediaDetector.exe"
 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
 O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
 O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
 O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
 O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
 O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\HP\Digital Imaging\bin\hpqtra08.exe
 O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
 O4 - Global Startup: Rychlé spuÅ¡tÄ›ní aplikace HP Image Zone.lnk = E:\HP\Digital Imaging\bin\hpqthb08.exe
 O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
 O8 - Extra context menu item: &Stáhnout FlashGetem - D:\FlashGet\jc_link.htm
 O8 - Extra context menu item: &Stáhnout vÅ¡echno FlashGetem - D:\FlashGet\jc_all.htm
 O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
 O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
 O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
 O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
 O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
 O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
 O17 - HKLM\System\CCS\Services\Tcpip\..\{E409859C-E4EA-4B68-8854-EB64B5F6DA10}: NameServer = 217.75.208.10,217.75.208.11
 O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\a-squared Free\a2service.exe
 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Ad-Aware 2007\aawservice.exe
 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
 O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
 O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
 O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe
 O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\ewido anti-spyware 4.0\guard.exe
 O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - D:\Borland\InterBase\bin\ibguard.exe
 O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - D:\Borland\InterBase\bin\ibserver.exe
 O23 - Service: InterBase InterClient Server (InterServer) - InterBase - D:\Borland\InterBase\InterClient\bin\interserver.exe
 O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
 O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Eset\nod32krn.exe
 O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
 O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Unknown owner - C:\Program Files\WinClamAVShield\sp_clamsrv.exe (file missing)
 O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Spyware Terminator\sp_rsser.exe
 O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Spy Sweeper\SpySweeper.exe
 
 --
 End of file - 7295 bytes
 
 Thank for your time helping me.

Title: Infected Winlogon.exe and Svchost.exe
Post by: guestolo on July 30, 2007, 07:05:13 PM

Can you do the following for me please

You have many spyware protections running
Any that you didn't pay for?
I'm looking at the following
Spybot-S&D
It's a great program, but if you got it for free, can you uninstall if for now

SpywareTerminator>>I don't recommend this program, I suggest that you uninstall it

Ad-Aware 2007>>If it's the free version, can you please uninstall it

AVG Anti-Spyware
ewido anti-spyware 4.0 guard >>Avg Anti-spyware it the updated Ewido
Can you remove Ewido 4.0

SpySweeper>>Is it the trial version? If it is and it has expired, can you uninstall it

Look over the above, I'm just trying to eliminate the possibility of conflicts and interference in the tools that we will be using
Reboot the computer after removing any of the above

If you don't uninstall one/any protections from the above
Can you disable there realtime protections for now please

Afterwards
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop, we will need it in a bit
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Post this log please >> C:\Combofix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also include a fresh hijackthis log

Title: Infected Winlogon.exe and Svchost.exe
Post by: Society_Sucker on July 30, 2007, 07:32:47 PM

Thank you for your fast reply at this early hour(maybe its not early where you live:)

I have uninstaled all those programs as you said, i havent used any of them anyways except spybot.

Here is my Combofix log :

EDIT : oh, and i nearly forgot .. i have already used combofix few hours ago, and from another location than my desktop(E:\Combofix.exe) So, if u want to see the first log i will post it and another reply.

ComboFix 07-07-30.2 - "q(o.O)P" 2007-07-31  2:26:31.3 [GMT 2:00] - NTFS
Syst‚m Microsoft Windows XP Professional  5.1.2600.1.1250.1.1029.18.True


(((((((((((((((((((((((((   Files Created from 2007-06-28 to 2007-07-31  )))))))))))))))))))))))))))))))


2007-07-31 02:19   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spyware Terminator
2007-07-31 02:12   <DIR>   d--------   C:\WINDOWS\system32\appmgmt
2007-07-30 23:41   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-27 12:56   <DIR>   d--------   C:\Program Files\FOTOLAB Home Print Service
2007-07-27 12:51   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\Leadertech
2007-07-27 12:51   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\AdobeUM
2007-07-27 12:51   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\AdobeAUM
2007-07-27 02:23   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\TEMP
2007-07-27 02:18   76,288   --a------   C:\WINDOWS\system32\rlddi.dll
2007-07-27 02:18   76,288   --a------   C:\WINDOWS\system32\rlddf.dll
2007-07-27 02:18   <DIR>   d--------   C:\WINDOWS\system32\rl
2007-07-27 02:17   322,832   --a------   C:\WINDOWS\system32\Mfc30.dll
2007-07-27 02:17   289,280   --a------   C:\WINDOWS\uninst.exe
2007-07-27 02:17   15,872   --a------   C:\WINDOWS\system32\Mfcn30.dll
2007-07-25 02:52   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\BSplayer Pro
2007-07-23 13:29   1,087,216   --a------   C:\WINDOWS\system32\zpeng24.dll
2007-07-23 13:29   <DIR>   d--------   C:\WINDOWS\system32\ZoneLabs
2007-07-23 02:28   4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2007-07-23 02:19   <DIR>   d--------   C:\WINDOWS\Internet Logs
2007-07-22 23:37   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spybot - Search & Destroy
2007-07-19 13:25   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-19 11:30   21,056   --a------   C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-15 08:52   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\Incomplete
2007-07-15 08:48   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\LimeWire
2007-07-15 05:33   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\My Games
2007-07-11 17:07   <DIR>   d--------   C:\Program Files\QuickTime
2007-07-11 17:07   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Apple Computer
2007-07-11 17:06   5,632   --a------   C:\WINDOWS\system32\ptpusb.dll
2007-07-11 17:06   150,528   --a------   C:\WINDOWS\system32\ptpusd.dll
2007-07-11 17:06   <DIR>   d--------   C:\WINDOWS\system32\BWKDLogs
2007-07-11 17:05   <DIR>   d--------   C:\Program Files\Kodak
2007-07-11 17:05   <DIR>   d--------   C:\Program Files\Common Files\Kodak
2007-07-11 17:03   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Kodak
2007-07-07 23:41   <DIR>   d--------   C:\KBcertifikat
2007-07-07 23:27   <DIR>   d--------   C:\DOCUME~1\Janek\kbpki
2007-07-03 17:31   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\ATI
2007-07-03 10:03   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\ATI
2007-06-26 12:36   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\InstallShield
2007-06-24 09:58   <DIR>   d--h-----   C:\WINDOWS\HUL
2007-06-24 09:34   4,682   --a------   C:\WINDOWS\system32\npptNT2.sys
2007-06-23 13:32   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\WINDOWS
2007-06-17 10:41   <DIR>   d---s----   C:\DOCUME~1\q(o.O)P\UserData
2007-06-13 21:25   339,968   --a------   C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 21:24   268,288   --a------   C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 21:24   2,155,520   --a------   C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-13 21:23   307,200   --a------   C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 21:17   42,496   --a------   C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 21:17   26,112   --a------   C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 21:17   139,264   --a------   C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 21:17   118,784   --a------   C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 21:16   118,784   --a------   C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 21:15   483,328   --a------   C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 21:14   53,248   --a------   C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 21:10   8,097,792   --a------   C:\WINDOWS\system32\atioglx2.dll
2007-06-13 21:07   2,922,208   --a------   C:\WINDOWS\system32\ati3duag.dll
2007-06-13 20:57   972,072   --a------   C:\WINDOWS\system32\ativva6x.dat
2007-06-13 20:57   3,107,788   --a------   C:\WINDOWS\system32\ativva5x.dat
2007-06-13 20:57   1,512,960   --a------   C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 20:46   5,431,296   --a------   C:\WINDOWS\system32\atioglxx.dll
2007-06-13 20:43   262,144   --a------   C:\WINDOWS\system32\atikvmag.dll
2007-06-13 20:42   17,408   --a------   C:\WINDOWS\system32\atitvo32.dll
2007-06-13 20:41   50,176   --a------   C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 20:41   49,152   --a------   C:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-13 20:36   368,640   --a------   C:\WINDOWS\system32\ati2cqag.dll
2007-06-10 12:01   <DIR>   d--------   C:\Program Files\Autodesk
2007-06-08 15:24   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\Autodesk
2007-06-07 16:29   <DIR>   d--------   C:\DOCUME~1\Jitka\DATAAP~1\Autodesk
2007-06-07 16:28   <DIR>   d--------   C:\Program Files\Common Files\Autodesk Shared
2007-06-07 16:28   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Autodesk
2007-06-07 14:44   512,096   --a------   C:\WINDOWS\system32\drivers\amon.sys
2007-06-07 14:44   298,104   --a------   C:\WINDOWS\system32\imon.dll
2007-06-07 14:44   15,424   --a------   C:\WINDOWS\system32\drivers\nod32drv.sys
2007-06-06 15:04   765,952   --a------   C:\WINDOWS\system32\xvidcore.dll
2007-06-06 15:04   180,224   --a------   C:\WINDOWS\system32\xvidvfw.dll
2007-06-06 15:04   <DIR>   d--------   C:\Program Files\Xvid
2007-06-03 20:53   <DIR>   d--------   C:\Program Files\Common Files\Adobe Systems Shared
2007-06-03 20:53   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Adobe Systems
2007-06-03 11:21   <DIR>   d--------   C:\CRANK


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-31 02:14   ---------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-07-31 01:50   73416   --a------   C:\WINDOWS\system32\perfc005.dat
2007-07-31 01:50   398746   --a------   C:\WINDOWS\system32\perfh005.dat
2007-07-23 02:22   ---------   d--------   C:\Program Files\Common Files\Agnitum Shared
2007-07-14 23:20   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-07-02 13:33   ---------   d--------   C:\Program Files\ATI Technologies
2007-06-13 21:50   43152   --a------   C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-13 14:29   520192   --a------   C:\WINDOWS\system32\ati2sgag.exe
2007-05-30 22:12   69119   --a------   C:\WINDOWS\hpoins05.dat
2007-05-30 22:10   ---------   d--------   C:\Program Files\Common Files\HP
2007-05-30 22:09   ---------   d--------   C:\Program Files\Hewlett-Packard
2007-05-30 22:08   ---------   d--------   C:\Program Files\Common Files\Hewlett-Packard
2007-05-30 22:03   ---------   d--------   C:\Program Files\HP
2007-05-30 21:59   ---------   d--h-----   C:\Program Files\WindowsUpdate
2007-05-30 21:24   ---------   d--------   C:\Program Files\AGEIA Technologies
2007-05-28 12:24   71539   --a------   C:\WINDOWS\War3Unin.dat
2007-05-18 15:16   409600   --a------   C:\WINDOWS\system32\wrap_oal.dll
2007-05-18 15:16   114688   --a------   C:\WINDOWS\system32\OpenAL32.dll
2007-04-01 09:02   456   --a------   C:\Program Files\INSTALL.LOG


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="D:\Eset\nod32kui.exe" [2007-06-07 14:44]
"ZoneAlarm Client"="D:\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="E:\Steam\Steam.exe" []
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 18:05]

C:\Documents and Settings\q(o.O)P\Nabˇdka Start\Programy\Po spuçtÅËœnˇ\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtÅËœnˇ\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 21:18:22]
HP Digital Imaging Monitor.lnk - E:\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
"NoStrCmpLogical"=1 (0x1)
"NoClose"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"MemCheckBoxInRunDlg"=0 (0x0)
"NoClose"=0 (0x0)
"NoAutoTrayNotify"=0 (0x0)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoStartBanner"=01000000
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoThemesTab"=0 (0x0)

R1 AmdK8;Ovladaź procesoru AMD Athlon64;C:\WINDOWS\System32\DRIVERS\AmdK8.sys
R1 nod32drv;nod32drv;C:\WINDOWS\System32\drivers\nod32drv.sys
R2 InterBaseGuardian;InterBase Guardian;D:\Borland\InterBase\bin\ibguard.exe
R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\System32\drivers\ALCXSENS.SYS
R3 InterBaseServer;InterBase Server;D:\Borland\InterBase\bin\ibserver.exe
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
R3 pcouffin;VSO Software pcouffin;C:\WINDOWS\System32\Drivers\pcouffin.sys
R3 PSched;Pl novaź paket… technologie QoS;C:\WINDOWS\System32\DRIVERS\psched.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\System32\Drivers\sskbfd.sys
R3 usbohci;Ovladaź Miniport otevýen‚ho hostitelsk‚ho ýadiźe Microsoft USB;C:\WINDOWS\System32\DRIVERS\usbohci.sys
S1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
S3 InterServer;InterBase InterClient Server;D:\Borland\InterBase\InterClient\bin\interserver.exe
S3 nm;Ovladaź programu Sledov nˇ sˇtÅËœ;C:\WINDOWS\System32\DRIVERS\NMnt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys
S3 usbccgp;ObecnÄ› nadýazenÄ› ovladaź Microsoft USB;C:\WINDOWS\System32\DRIVERS\usbccgp.sys
S3 USBSTOR;Ovladaź velkokapacitnˇho pamŘśov‚ho zaýˇzenˇ USB;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Schedule


Contents of the 'Scheduled Tasks' folder
2007-07-11 15:08:37 C:\WINDOWS\Tasks\EasyShare Registration Task.job - C:\WINDOWS\System32\rundll32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-07-31 02:26:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9CB1D540-D31A-63AA-7167-402D681BE3DB}]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-31  2:27:39
C:\ComboFix-quarantined-files.txt ... 2007-07-31 02:27
C:\ComboFix2.txt ... 2007-07-31 02:25
C:\ComboFix3.txt ... 2007-07-30 23:50

   --- E O F ---


And my Hijackthis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:25, on 31.7.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Eset\nod32kui.exe
E:\a-squared Free\a2service.exe
D:\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Borland\InterBase\bin\ibguard.exe
D:\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
D:\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\explorer.exe
D:\Mozilla\mozilla.exe
D:\FlashFXP_v3.4.1.1173\FlashFXP v3.4.1.1173\FlashFXP.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FlashGet\getflash.dll
O4 - HKLM\..\Run: [nod32kui] "D:\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Steam] "E:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Stáhnout FlashGetem - D:\FlashGet\jc_link.htm
O8 - Extra context menu item: &Stáhnout vÅ¡echno FlashGetem - D:\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E409859C-E4EA-4B68-8854-EB64B5F6DA10}: NameServer = 217.75.208.10,217.75.208.11
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - D:\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - D:\Borland\InterBase\bin\ibserver.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - D:\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Unknown owner - C:\Program Files\WinClamAVShield\sp_clamsrv.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Unknown owner - D:\Spyware Terminator\sp_rsser.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5143 bytes

Title: Infected Winlogon.exe and Svchost.exe
Post by: Society_Sucker on July 30, 2007, 07:37:28 PM

Here is the first Combofix log :

ComboFix 07-07-30.2 - "q(o.O)P" 2007-07-30 23:42:47.1 [GMT 2:00] - NTFS
Syst‚m Microsoft Windows XP Professional  5.1.2600.1.1250.1.1029.18.True
 * Created a new restore point


((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aelpustb.dll
C:\WINDOWS\system32\ahyqwinl.dll
C:\WINDOWS\system32\cdhhuxbm.dll
C:\WINDOWS\system32\cpfkatxk.dll
C:\WINDOWS\system32\cuyhjatt.dll
C:\WINDOWS\system32\cvnsqgyg.dll
C:\WINDOWS\system32\dcfbypda.dll
C:\WINDOWS\system32\dibavyys.dll
C:\WINDOWS\system32\euxqysrj.dll
C:\WINDOWS\system32\faprwdjs.dll
C:\WINDOWS\system32\gifgyxat.dll
C:\WINDOWS\system32\gpycjexc.dll
C:\WINDOWS\system32\hakpiwmh.dll
C:\WINDOWS\system32\jghspmkr.dll
C:\WINDOWS\system32\jujhbsjj.dll
C:\WINDOWS\system32\leyrqjur.dll
C:\WINDOWS\system32\lubnnpkp.dll
C:\WINDOWS\system32\lungesmg.dll
C:\WINDOWS\system32\njykrfhw.dll
C:\WINDOWS\system32\ojpsonqf.dll
C:\WINDOWS\system32\qavugfxr.dll
C:\WINDOWS\system32\rsfqvcle.dll
C:\WINDOWS\system32\snghnpul.dll
C:\WINDOWS\system32\tgchxgjh.dll
C:\WINDOWS\system32\tgncrijb.dll
C:\WINDOWS\system32\tjgsavvu.dll
C:\WINDOWS\system32\tunupheb.dll
C:\WINDOWS\system32\uaitmdin.dll
C:\WINDOWS\system32\vsowpfqv.dll
C:\WINDOWS\system32\wovfrsty.dll
C:\WINDOWS\system32\xaywpuvl.dll
C:\WINDOWS\system32\xwpvbxop.dll
C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.bak2
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\lnnmp.tmp
C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.bak2
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\lnnmp.tmp


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\abafcwpf.exe
C:\WINDOWS\system32\aogqtkgq.exe
C:\WINDOWS\system32\ashbdqpp.exe
C:\WINDOWS\system32\asllljpv.exe
C:\WINDOWS\system32\aubecfmd.exe
C:\WINDOWS\system32\bhlgovrv.exe
C:\WINDOWS\system32\bkjkycxn.exe
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\fsiqjrdq.exe
C:\WINDOWS\system32\hbbakgdn.exe
C:\WINDOWS\system32\hwadnswc.exe
C:\WINDOWS\system32\isgvbofd.exe
C:\WINDOWS\system32\jnmbkdvd.exe
C:\WINDOWS\system32\kuiqvojh.exe
C:\WINDOWS\system32\lcamckwq.exe
C:\WINDOWS\system32\lqqpexgx.exe
C:\WINDOWS\system32\ludptpau.exe
C:\WINDOWS\system32\mbcbhdbd.exe
C:\WINDOWS\system32\mcujfprn.exe
C:\WINDOWS\system32\ngtycwca.exe
C:\WINDOWS\system32\njemljce.exe
C:\WINDOWS\system32\nmltdyhl.exe
C:\WINDOWS\system32\oevwvnyi.exe
C:\WINDOWS\system32\pkhikebt.exe
C:\WINDOWS\system32\qhhxjoli.exe
C:\WINDOWS\system32\qtmivdfd.exe
C:\WINDOWS\system32\tjhkvrih.exe
C:\WINDOWS\system32\tyyrhmtq.exe
C:\WINDOWS\system32\ugklfovi.exe
C:\WINDOWS\system32\usrvtmcd.exe
C:\WINDOWS\system32\veefypcr.exe
C:\WINDOWS\system32\vlfcgikk.exe
C:\WINDOWS\system32\vswnccjf.exe
C:\WINDOWS\system32\vybsoxss.exe
C:\WINDOWS\system32\xiexxlhb.exe
C:\WINDOWS\system32\xvamxwea.exe
C:\WINDOWS\system32\xypgalll.exe
C:\WINDOWS\system32\yrtmkgmc.exe
C:\WINDOWS\updater.exe


(((((((((((((((((((((((((   Files Created from 2007-06-28 to 2007-07-30  )))))))))))))))))))))))))))))))


2007-07-30 23:41   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-27 12:56   <DIR>   d--------   C:\Program Files\FOTOLAB Home Print Service
2007-07-27 12:51   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\Leadertech
2007-07-27 12:51   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\AdobeUM
2007-07-27 12:51   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\AdobeAUM
2007-07-27 02:23   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\TEMP
2007-07-27 02:18   76,288   --a------   C:\WINDOWS\system32\rlddi.dll
2007-07-27 02:18   76,288   --a------   C:\WINDOWS\system32\rlddf.dll
2007-07-27 02:18   <DIR>   d--------   C:\WINDOWS\system32\rl
2007-07-27 02:17   322,832   --a------   C:\WINDOWS\system32\Mfc30.dll
2007-07-27 02:17   289,280   --a------   C:\WINDOWS\uninst.exe
2007-07-27 02:17   15,872   --a------   C:\WINDOWS\system32\Mfcn30.dll
2007-07-25 02:52   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\BSplayer Pro
2007-07-23 13:29   1,087,216   --a------   C:\WINDOWS\system32\zpeng24.dll
2007-07-23 13:29   <DIR>   d--------   C:\WINDOWS\system32\ZoneLabs
2007-07-23 02:28   4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2007-07-23 02:19   <DIR>   d--------   C:\WINDOWS\Internet Logs
2007-07-22 23:37   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spybot - Search & Destroy
2007-07-21 17:37   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\Webroot
2007-07-21 10:45   <DIR>   d--------   C:\DOCUME~1\Jitka\DATAAP~1\Webroot
2007-07-19 13:25   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-19 11:30   22,080   --a------   C:\WINDOWS\system32\drivers\sshrmd.sys
2007-07-19 11:30   21,056   --a------   C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-19 11:30   20,544   --a------   C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-07-19 11:30   144,960   --a------   C:\WINDOWS\system32\drivers\ssidrv.sys
2007-07-19 11:30   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\DATAAP~1\Webroot
2007-07-19 11:29   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\Webroot
2007-07-19 11:29   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Webroot
2007-07-15 08:52   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\Incomplete
2007-07-15 08:48   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\LimeWire
2007-07-15 05:33   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\My Games
2007-07-11 17:07   <DIR>   d--------   C:\Program Files\QuickTime
2007-07-11 17:07   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Apple Computer
2007-07-11 17:06   5,632   --a------   C:\WINDOWS\system32\ptpusb.dll
2007-07-11 17:06   150,528   --a------   C:\WINDOWS\system32\ptpusd.dll
2007-07-11 17:06   <DIR>   d--------   C:\WINDOWS\system32\BWKDLogs
2007-07-11 17:05   <DIR>   d--------   C:\Program Files\Kodak
2007-07-11 17:05   <DIR>   d--------   C:\Program Files\Common Files\Kodak
2007-07-11 17:03   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Kodak
2007-07-10 12:35   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Lavasoft
2007-07-07 23:41   <DIR>   d--------   C:\KBcertifikat
2007-07-07 23:27   <DIR>   d--------   C:\DOCUME~1\Janek\kbpki
2007-07-03 17:31   <DIR>   d--------   C:\DOCUME~1\Janek\DATAAP~1\ATI
2007-07-03 10:03   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\ATI
2007-06-26 12:36   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\InstallShield
2007-06-24 09:58   <DIR>   d--h-----   C:\WINDOWS\HUL
2007-06-24 09:34   4,682   --a------   C:\WINDOWS\system32\npptNT2.sys
2007-06-23 13:32   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\WINDOWS
2007-06-17 10:41   <DIR>   d---s----   C:\DOCUME~1\q(o.O)P\UserData
2007-06-13 21:25   339,968   --a------   C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 21:24   268,288   --a------   C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 21:24   2,155,520   --a------   C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-13 21:23   307,200   --a------   C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 21:17   42,496   --a------   C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 21:17   26,112   --a------   C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 21:17   139,264   --a------   C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 21:17   118,784   --a------   C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 21:16   118,784   --a------   C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 21:15   483,328   --a------   C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 21:14   53,248   --a------   C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 21:10   8,097,792   --a------   C:\WINDOWS\system32\atioglx2.dll
2007-06-13 21:07   2,922,208   --a------   C:\WINDOWS\system32\ati3duag.dll
2007-06-13 20:57   972,072   --a------   C:\WINDOWS\system32\ativva6x.dat
2007-06-13 20:57   3,107,788   --a------   C:\WINDOWS\system32\ativva5x.dat
2007-06-13 20:57   1,512,960   --a------   C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 20:46   5,431,296   --a------   C:\WINDOWS\system32\atioglxx.dll
2007-06-13 20:43   262,144   --a------   C:\WINDOWS\system32\atikvmag.dll
2007-06-13 20:42   17,408   --a------   C:\WINDOWS\system32\atitvo32.dll
2007-06-13 20:41   50,176   --a------   C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 20:41   49,152   --a------   C:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-13 20:36   368,640   --a------   C:\WINDOWS\system32\ati2cqag.dll
2007-06-10 12:01   <DIR>   d--------   C:\Program Files\Autodesk
2007-06-08 15:24   <DIR>   d--------   C:\DOCUME~1\q(o.O)P\DATAAP~1\Autodesk
2007-06-07 16:29   <DIR>   d--------   C:\DOCUME~1\Jitka\DATAAP~1\Autodesk
2007-06-07 16:28   <DIR>   d--------   C:\Program Files\Common Files\Autodesk Shared
2007-06-07 16:28   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Autodesk
2007-06-07 14:44   512,096   --a------   C:\WINDOWS\system32\drivers\amon.sys
2007-06-07 14:44   298,104   --a------   C:\WINDOWS\system32\imon.dll
2007-06-07 14:44   15,424   --a------   C:\WINDOWS\system32\drivers\nod32drv.sys
2007-06-06 15:04   765,952   --a------   C:\WINDOWS\system32\xvidcore.dll
2007-06-06 15:04   180,224   --a------   C:\WINDOWS\system32\xvidvfw.dll
2007-06-06 15:04   <DIR>   d--------   C:\Program Files\Xvid
2007-06-04 15:18   9,344   --a------   C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17   8,320   --a------   C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14   6,272   --a------   C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 20:53   <DIR>   d--------   C:\Program Files\Common Files\Adobe Systems Shared
2007-06-03 20:53   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATAAP~1\Adobe Systems
2007-06-03 11:21   <DIR>   d--------   C:\CRANK


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 02:22   ---------   d--------   C:\Program Files\Common Files\Agnitum Shared
2007-07-22 23:44   ---------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-07-14 23:20   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-07-02 13:33   ---------   d--------   C:\Program Files\ATI Technologies
2007-06-25 19:07   73416   --a------   C:\WINDOWS\system32\perfc005.dat
2007-06-25 19:07   398746   --a------   C:\WINDOWS\system32\perfh005.dat
2007-06-13 21:50   43152   --a------   C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-13 14:29   520192   --a------   C:\WINDOWS\system32\ati2sgag.exe
2007-05-30 22:12   69119   --a------   C:\WINDOWS\hpoins05.dat
2007-05-30 22:10   ---------   d--------   C:\Program Files\Common Files\HP
2007-05-30 22:09   ---------   d--------   C:\Program Files\Hewlett-Packard
2007-05-30 22:08   ---------   d--------   C:\Program Files\Common Files\Hewlett-Packard
2007-05-30 22:03   ---------   d--------   C:\Program Files\HP
2007-05-30 21:59   ---------   d--h-----   C:\Program Files\WindowsUpdate
2007-05-30 21:24   ---------   d--------   C:\Program Files\AGEIA Technologies
2007-05-28 12:24   71539   --a------   C:\WINDOWS\War3Unin.dat
2007-05-18 15:16   409600   --a------   C:\WINDOWS\system32\wrap_oal.dll
2007-05-18 15:16   114688   --a------   C:\WINDOWS\system32\OpenAL32.dll
2007-04-01 09:02   456   --a------   C:\Program Files\INSTALL.LOG


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 C:\WINDOWS\SOUNDMAN.EXE]
"SpywareTerminator"="D:\SPYWAR~1\SpywareTerminatorShield.exe" [2007-01-23 22:55]
"nod32kui"="D:\Eset\nod32kui.exe" [2007-06-07 14:44]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12]
"HP Software Update"="E:\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"Adobe Reader Speed Launcher"="D:\Acrobat Reader 8\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"SpySweeper"="D:\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]
"!AVG Anti-Spyware"="D:\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"!ewido"="D:\ewido anti-spyware 4.0\ewido.exe" [2007-07-22 22:46]
"ZoneAlarm Client"="D:\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Adobe Photo Downloader"="D:\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="E:\Steam\Steam.exe" []
"BlazeServoTool"="D:\BlazeDVD 5 Professional\MediaDetector.exe" [2006-06-29 10:54]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 18:05]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2007-07-10 21:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

C:\Documents and Settings\q(o.O)P\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 21:18:22]
HP Digital Imaging Monitor.lnk - E:\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Rychl‚ spuçtŘnˇ aplikace HP Image Zone.lnk - E:\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Software Kodak EasyShare.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 05:10:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
"NoStrCmpLogical"=1 (0x1)
"NoClose"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"MemCheckBoxInRunDlg"=0 (0x0)
"NoClose"=0 (0x0)
"NoAutoTrayNotify"=0 (0x0)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoStartBanner"=01000000
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

R0 SSFS0509;Spy Sweeper File System Filer Driver: 0509;C:\WINDOWS\System32\Drivers\SSFS0509.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\System32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\System32\Drivers\SSIDRV.SYS
R1 AmdK8;Ovladaź procesoru AMD Athlon64;C:\WINDOWS\System32\DRIVERS\AmdK8.sys
R1 nod32drv;nod32drv;C:\WINDOWS\System32\drivers\nod32drv.sys
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
R2 InterBaseGuardian;InterBase Guardian;D:\Borland\InterBase\bin\ibguard.exe
R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\System32\drivers\ALCXSENS.SYS
R3 InterBaseServer;InterBase Server;D:\Borland\InterBase\bin\ibserver.exe
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
R3 pcouffin;VSO Software pcouffin;C:\WINDOWS\System32\Drivers\pcouffin.sys
R3 PSched;Pl novaź paket… technologie QoS;C:\WINDOWS\System32\DRIVERS\psched.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\System32\Drivers\sskbfd.sys
R3 usbohci;Ovladaź Miniport otevýen‚ho hostitelsk‚ho ýadiźe Microsoft USB;C:\WINDOWS\System32\DRIVERS\usbohci.sys
S3 InterServer;InterBase InterClient Server;D:\Borland\InterBase\InterClient\bin\interserver.exe
S3 nm;Ovladaź programu Sledov nˇ sˇtŘ;C:\WINDOWS\System32\DRIVERS\NMnt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys
S3 usbccgp;Obecně nadýazeně ovladaź Microsoft USB;C:\WINDOWS\System32\DRIVERS\usbccgp.sys
S3 USBSTOR;Ovladaź velkokapacitnˇho pamŘśov‚ho zaýˇzenˇ USB;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Schedule


Contents of the 'Scheduled Tasks' folder
2007-07-11 15:08:37 C:\WINDOWS\Tasks\EasyShare Registration Task.job - C:\WINDOWS\System32\rundll32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-07-30 23:48:00
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9CB1D540-D31A-63AA-7167-402D681BE3DB}]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-30 23:50:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 23:49

   --- E O F ---



And combofix quarantined files log from the first scan :

Code: [Select]

1995-12-22 12:16  432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\CFX32.LIC.vir
1996-06-10 16:24  307200 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\CFX32.OCX.vir
2006-10-22 16:00  1167360 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Updater.exe.vir
2007-03-20 20:56  478436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lnnmp.tmp.vir
2007-03-20 22:39  479752 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lnnmp.ini.vir
2007-07-11 17:16  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\njykrfhw.dll.vir
2007-07-11 21:10  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jujhbsjj.dll.vir
2007-07-11 21:13  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uaitmdin.dll.vir
2007-07-12 11:37  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gpycjexc.dll.vir
2007-07-12 12:42  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xaywpuvl.dll.vir
2007-07-12 15:23  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hakpiwmh.dll.vir
2007-07-12 19:27  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\aelpustb.dll.vir
2007-07-12 19:39  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lungesmg.dll.vir
2007-07-13 09:00  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ahyqwinl.dll.vir
2007-07-13 16:08  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xwpvbxop.dll.vir
2007-07-13 20:38  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vsowpfqv.dll.vir
2007-07-13 21:08  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cuyhjatt.dll.vir
2007-07-14 21:08  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\leyrqjur.dll.vir
2007-07-14 23:34  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tgchxgjh.dll.vir
2007-07-15 15:17  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tgncrijb.dll.vir
2007-07-16 10:32  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tjgsavvu.dll.vir
2007-07-16 15:43  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dibavyys.dll.vir
2007-07-16 15:47  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qavugfxr.dll.vir
2007-07-16 16:26  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dcfbypda.dll.vir
2007-07-16 22:02  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jghspmkr.dll.vir
2007-07-16 23:36  1031310 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lnnmp.bak1.vir
2007-07-16 23:37  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cdhhuxbm.dll.vir
2007-07-17 15:14  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\euxqysrj.dll.vir
2007-07-17 15:37  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\faprwdjs.dll.vir
2007-07-18 01:06  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\snghnpul.dll.vir
2007-07-18 17:35  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cpfkatxk.dll.vir
2007-07-18 18:10  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ojpsonqf.dll.vir
2007-07-19 10:17  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tunupheb.dll.vir
2007-07-19 11:05  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lubnnpkp.dll.vir
2007-07-19 11:40  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gifgyxat.dll.vir
2007-07-19 13:06  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cvnsqgyg.dll.vir
2007-07-19 13:19  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wovfrsty.dll.vir
2007-07-19 20:45  893353 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lnnmp.bak2.vir
2007-07-19 20:46  66580 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rsfqvcle.dll.vir
2007-07-19 20:48  892969 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lnnmp.ini2.vir


Věpis CESTY slo§ky
S‚riov‚ źˇslo svazku je 71F8E346 3C21:5D8A
C:\QOOBOX
\---Quarantine
+---C
|   \---WINDOWS
|   |   Updater.exe.vir
|   |  
|   \---system32
|   aelpustb.dll.vir
|   ahyqwinl.dll.vir
|   cdhhuxbm.dll.vir
|   CFX32.LIC.vir
|   CFX32.OCX.vir
|   cpfkatxk.dll.vir
|   cuyhjatt.dll.vir
|   cvnsqgyg.dll.vir
|   dcfbypda.dll.vir
|   dibavyys.dll.vir
|   euxqysrj.dll.vir
|   faprwdjs.dll.vir
|   gifgyxat.dll.vir
|   gpycjexc.dll.vir
|   hakpiwmh.dll.vir
|   jghspmkr.dll.vir
|   jujhbsjj.dll.vir
|   leyrqjur.dll.vir
|   lnnmp.bak1.vir
|   lnnmp.bak2.vir
|   lnnmp.ini.vir
|   lnnmp.ini2.vir
|   lnnmp.tmp.vir
|   lubnnpkp.dll.vir
|   lungesmg.dll.vir
|   njykrfhw.dll.vir
|   ojpsonqf.dll.vir
|   qavugfxr.dll.vir
|   rsfqvcle.dll.vir
|   snghnpul.dll.vir
|   tgchxgjh.dll.vir
|   tgncrijb.dll.vir
|   tjgsavvu.dll.vir
|   tunupheb.dll.vir
|   uaitmdin.dll.vir
|   vsowpfqv.dll.vir
|   wovfrsty.dll.vir
|   xaywpuvl.dll.vir
|   xwpvbxop.dll.vir
|  
\---Registry_backups

Title: Infected Winlogon.exe and Svchost.exe
Post by: guestolo on July 30, 2007, 11:06:33 PM

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Spyware Terminator Clam Service

Right click on it and choose "Properties".
Beside "Startup Type" in the dropdown menu select "Disabled".
On the "General" tab under "Service Status", if selectable, click the "Stop" button to stop the service.
Click Apply then OK.
Do the same for this service name

Spyware Terminator Realtime Shield Service

then Exit

Post JUST a fresh hijackthis log please, I'm having a hard time reading all the logs
Let me know how things are running

Title: Infected Winlogon.exe and Svchost.exe
Post by: Society_Sucker on July 31, 2007, 06:28:21 AM

Sorry for my late reply but i have fallen asleep. It was early morning as i mentioned.

I have disabled those services as u told.

And here is my Hijackthis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:26:51, on 31.7.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Eset\nod32kui.exe
E:\a-squared Free\a2service.exe
D:\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Borland\InterBase\bin\ibguard.exe
D:\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
D:\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\explorer.exe
D:\FlashFXP_v3.4.1.1173\FlashFXP v3.4.1.1173\FlashFXP.exe
D:\Winamp\winamp.exe
D:\Mozilla\mozilla.exe
E:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FlashGet\getflash.dll
O4 - HKLM\..\Run: [nod32kui] "D:\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [Steam] "E:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Stáhnout FlashGetem - D:\FlashGet\jc_link.htm
O8 - Extra context menu item: &Stáhnout všechno FlashGetem - D:\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E409859C-E4EA-4B68-8854-EB64B5F6DA10}: NameServer = 217.75.208.10,217.75.208.11
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - D:\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - D:\Borland\InterBase\bin\ibserver.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - D:\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Unknown owner - C:\Program Files\WinClamAVShield\sp_clamsrv.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Unknown owner - D:\Spyware Terminator\sp_rsser.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5240 bytes

Title: Infected Winlogon.exe and Svchost.exe
Post by: guestolo on July 31, 2007, 07:36:40 AM

Those 2 services related to SpywareTerminator are still running?
Did you stop and disable them?

[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system.

• Download the latest version of  Java Runtime Environment (JRE) 6u2 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
  
• Scroll down to where it says "Java Runtime Environment (JRE) 6u2, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Check the box that says: "Accept License Agreement[/i]".
  
• The page will refresh.
• Click on the link to download Windows Offline Installation, Multi-language  and save it to your desktop (13.90 MB).
  

DON'T install it yet

Close all browser windows, including this one
# Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
# Check any item with Java Runtime Environment (JRE or J2SE) in the name
# Click the Remove or Change/Remove button.
# Repeat as many times as necessary to remove each Java versions.
Examples of older versions:
Java SE Runtime Environment 5 Update 6
Java SE Runtime Environment 5 Update 11

Do a "System scan only" with Hijackthis and put a check next to these entries:

O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Unknown owner - C:\Program Files\WinClamAVShield\sp_clamsrv.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Unknown owner - D:\Spyware Terminator\sp_rsser.exe (file missing)


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
Go ahead and install the latest version of Java from the installer on the desktop

I missed that you also had the free version of A-Squared installed
Can you update it and run a scan
Fix what it finds, post a log if you get one

In addition, can you do the following
go here:
http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\")
Scroll down the page
and download the "Registry Search Tool"
Unzip RegSrch.zip to the desktop
Double click on RegSrch.vbs

**If you get a warning from your Anti Virus please ignore it and allow this to run.**
When it starts, you will be prompted to enter a search phrase.
Enter this:

9CB1D540-D31A-63AA-7167-402D681BE3DB

Click OK, it will disappear and won't look as if it's doing anything. When it's done searching, a prompt will come up saying how many instances it found. Click OK, and a notepad will open up. Please copy the contents of that notepad and paste it here.

Also post a fresh hijackthis log, let's see if those 2 services are still running

Recap, I need to see the following
1. If you get a log from A-squared, post the results
2. Post the results from Registry Search tool
3. Post a fresh hijackthis log
4. Keep me informed how things are running

Title: Infected Winlogon.exe and Svchost.exe
Post by: Society_Sucker on July 31, 2007, 08:42:39 AM

I am sorry, english is not my first language and my windows are too in czecch language so i wasnt sure what to do with those services, i didnt understand the phrase "dropdown menu", but now i know what is it and have disabled both services, sorry for that, it was stupid mistake.


1)
Here is the A-squared log :

a-squared Free - Version 3.0
Last update: 31.7.2007 15:12:32

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start:   31.7.2007 15:13:45

c:\documents and settings\q(o.o)p\data aplikací\bsplayer pro    detected: Trace.Directory.BSplayer
c:\documents and settings\q(o.o)p\data aplikací\bsplayer pro\bsplayer.xml    detected: Trace.File.BSplayer
Value: HKEY_USERS\S-1-5-21-1957994488-1390067357-725345543-1003\Software\BST\bsplayerv1 --> AppPath    detected: Trace.Registry.BSplayer
Value: HKEY_USERS\S-1-5-21-1957994488-1390067357-725345543-1003\Software\BST\bsplayerv1 --> AppVer    detected: Trace.Registry.BSplayer
C:\WINDOWS\nircmd.exe    detected: Heuristic.Dialer.RAS

Scanned

Files:    17908
Traces:    295489
Cookies:    24
Processes:    32

Found

Files:    1
Traces:    4
Cookies:    0
Processes:    0
Registry keys:    0

Scan end:   31.7.2007 15:27:09
Scan time:   0:13:24


2) I used the rehistry search but it didnt find any results, so i didnt get any log in notepad.

3) And my hijackthis log  :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:31:36, on 31.7.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Eset\nod32kui.exe
D:\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Borland\InterBase\bin\ibguard.exe
D:\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
D:\Borland\InterBase\bin\ibserver.exe
D:\Opera\Opera.exe
D:\Winamp\winamp.exe
D:\Trillian\trillian.exe
D:\FlashFXP_v3.4.1.1173\FlashFXP v3.4.1.1173\FlashFXP.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Mozilla\mozilla.exe
E:\a-squared Free\a2service.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FlashGet\getflash.dll
O4 - HKLM\..\Run: [nod32kui] "D:\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "E:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Stáhnout FlashGetem - D:\FlashGet\jc_link.htm
O8 - Extra context menu item: &Stáhnout všechno FlashGetem - D:\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E409859C-E4EA-4B68-8854-EB64B5F6DA10}: NameServer = 217.75.208.10,217.75.208.11
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - D:\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - D:\Borland\InterBase\bin\ibserver.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - D:\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5017 bytes

4) I am not sure what do you want to hear from me, but my PC is already running a lot smoother than yesterday.

Title: Infected Winlogon.exe and Svchost.exe
Post by: guestolo on August 01, 2007, 10:31:35 PM

Good work

If everything is running better
I suggest that you still do the following

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Select>>Create a New restore point
Give it a name and click Create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning


I would add a bit more protection to this computer
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

REDownload and Install Spybot 1.4 from
HERE (http://\"http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1\")

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates (Or right click the results pane and SELECT ALL)
Ensure all updates are successful, a GREEN check will indicate this
If you have an error updating, search for updates again and retry the download until all updates are successfully installed
After update is complete

Utilize the Immunization feature in Spybot 1.4
After every update
Click the "Immunize" button>>OK the prompt>>Immunize again at the top green cross

If there are other user profiles on the computer, have them login and enable all protections with Spywareblaster
and Immunize with Spybot after every update
You may want to run a scan also

Let's remove some files/folders that we used
Download this tool:
[color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  Click the Cleanup! button
  A list will be downloaded>>Allow it Internet access if prompted by your Firewall
  Select Yes at the prompt
  Wait for the confirmation box to open to reboot the computer
  Select Yes to reboot Now
  

After reboot you can empty your recycle bin

If all is well, I'll lock this topic
Let me know please

Title: Infected Winlogon.exe and Svchost.exe
Post by: Society_Sucker on August 03, 2007, 12:25:00 PM

Ok, all done. My PC is now running nearly like after fresh windows instalation /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />. Not so smooth, but its much better than before my first post here.

Thank for all your help. You are doing realy great job here, keep it up,)

Title: Infected Winlogon.exe and Svchost.exe
Post by: guestolo on August 03, 2007, 12:28:41 PM

Glad to help, I'll lock this topic as your problems are resolved
Take care Society_Sucker  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />