Author Topic: HJT Log Help (Read 969 times)

sndement · « **on:** November 27, 2007, 10:52:39 PM »

Hi,

I have this horrid Outerinfo virus on my pc. It has completely taken over to the point where I can't even run IE on my pc anymore. When I remove all of the programs in the entire bundle in safe mode it still re-installs each time I reboot my machine. I have borrowed another pc tonight in order to install HJT from a USB disk to my pc. This is he log I have come up with....do I need to post the startup list as well?

ps I have no other details except that my pc's active desktop has turned itself off and it has become a complete nightmare.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:22 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ESDUSBMon.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\Documents and Settings\Suzanne Dement\Application Data\?asks\s?rvices.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\MCROSO~1.NET\chkdsk.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rlprtgtx.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Suzanne Dement\Application Data\pcpriv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jctzxafg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [mnwtszmj] rundll32.exe "C:\Program Files\hinktspq\datepmty.dll",Init
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnib.dll,startup
O4 - HKLM\..\Run: [lkpsdutc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lkpsdutc.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [f0ae5a35] rundll32.exe "C:\WINDOWS\system32\agrhoxkj.dll",b
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
O4 - HKCU\..\Run: [Nijpymvp] "C:\Documents and Settings\Suzanne Dement\Application Data\?asks\s?rvices.exe"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\MCROSO~1.NET\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\append.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3V6YW5uZSBEZW1lbnQ\command.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\rlprtgtx.exe
O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: WLANKEEPER - IntelÂ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\progy.html

--
End of file - 8777 bytes

guestolo · « **Reply #1 on:** November 28, 2007, 10:49:39 AM »

Can you do the following
Download these 2 tools and transfer them to the infected computers desktop

DON'T run them from the USB stick
Download [color=\"blue\"]VundoFix.exe[/color]
transfer to infected computer's desktop.

Download this file - Combofix.exe and save it ONLY to your desktop of the infected computer
We'll need it later

Vundofix

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you wantDownload [color=\"blue\"]VundoFix.exe[/color]
to your desktop. to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I'll need to see this report from Vundofix later>>C:\Vundofix.txt

Combofix
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
It's default location is C:\Combofix.txt

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post back all the following, even if it takes more than one reply to do so

1. Post the log from Combofix
2. Post the log from Vundofix
3. Post a fresh hijackthis log

sndement · « **Reply #2 on:** November 28, 2007, 12:18:17 PM »

Thank you so much for your help. I did exactly what you said and here are the logs that you asked for!

ComboFix 07-11-28.2 - Suzanne Dement 2007-11-28 11:03:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.656 [GMT -6:00]
Running from: C:\Documents and Settings\Suzanne Dement\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\lkpsdutc.dll
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Chris Dement\Application Data\install.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Suzanne Dement\Application Data\ASKS~1
C:\Documents and Settings\Suzanne Dement\Application Data\ASKS~1\s?rvices.exe
C:\Documents and Settings\Suzanne Dement\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\Suzanne Dement\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Suzanne Dement\Desktop\Go to Casino.lnk
C:\Documents and Settings\Suzanne Dement\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Suzanne Dement\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Suzanne Dement\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Suzanne Dement\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\3269.exe
C:\Program Files\Common Files\lawu.dll
C:\Program Files\Common Files\lawu832.dll
C:\Program Files\Common Files\lawu862.dll
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\mcroso~1.net\chkdsk.exe
C:\Program Files\Common Files\mcroso~1.net\M?crosoft.NET\
C:\Program Files\Common Files\progy.html
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\xloader10181.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\avp.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mgrs.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\agrhoxkj.dll
C:\WINDOWS\system32\append.dll
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\b1\dnslook11.exe
C:\WINDOWS\system32\bjhtsokx.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\bemwdll3.exe
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\i2\mper83122.exe
C:\WINDOWS\system32\ibncxiq.dll
C:\WINDOWS\system32\jkxohrga.ini
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\n8\ensts2dll.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\qyfufaql.dll
C:\WINDOWS\system32\rlprtgtx.exe
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\tgsqljjt.dll
C:\WINDOWS\system32\tnrtmwuk
C:\WINDOWS\system32\tnrtmwuk\bg1.gif
C:\WINDOWS\system32\tnrtmwuk\bgtop.gif
C:\WINDOWS\system32\tnrtmwuk\bottom1.gif
C:\WINDOWS\system32\tnrtmwuk\essentials.gif
C:\WINDOWS\system32\tnrtmwuk\icon1.ico
C:\WINDOWS\system32\tnrtmwuk\install1.gif
C:\WINDOWS\system32\tnrtmwuk\left1.gif
C:\WINDOWS\system32\tnrtmwuk\li.gif
C:\WINDOWS\system32\tnrtmwuk\logo.gif
C:\WINDOWS\system32\tnrtmwuk\main.htm
C:\WINDOWS\system32\tnrtmwuk\mainframe.htm
C:\WINDOWS\system32\tnrtmwuk\reinstall1.gif
C:\WINDOWS\system32\tnrtmwuk\right1.gif
C:\WINDOWS\system32\tnrtmwuk\s1.htm
C:\WINDOWS\system32\tnrtmwuk\s2.htm
C:\WINDOWS\system32\tnrtmwuk\s3.htm
C:\WINDOWS\system32\tnrtmwuk\SMTop1.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop2.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop3.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop4.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\softbottom_off.gif
C:\WINDOWS\system32\tnrtmwuk\softbottom_on.gif
C:\WINDOWS\system32\tnrtmwuk\softleft_off.gif
C:\WINDOWS\system32\tnrtmwuk\softleft_on.gif
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk1.exe
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk2.exe
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk3.exe
C:\WINDOWS\system32\tnrtmwuk\top1.gif
C:\WINDOWS\system32\tnrtmwuk\top2.gif
C:\WINDOWS\system32\tnrtmwuk\turnoff1.gif
C:\WINDOWS\system32\tnrtmwuk\turnon1.gif
C:\WINDOWS\system32\vpbwnuce.exe
C:\WINDOWS\system32\winkvs32.dll
C:\WINDOWS\system32\xlibgfl254.dll
C:\WINDOWS\system32\ybdhdmdg.dll
C:\WINDOWS\U3V6YW5uZSBEZW1lbnQ\asappsrv.dll
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\cmdService
-------\core
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-28 10:43 . 2007-11-28 10:43   24,576   --a------   C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-28 10:33 . 2007-11-28 10:49   <DIR>   d--------   C:\VundoFix Backups
2007-11-27 21:30 . 2005-04-03 23:03   204,832   --a------   C:\Documents and Settings\Suzanne Dement\Application Data\pcpriv.exe
2007-11-27 21:18 . 2007-11-27 21:18   <DIR>   d--------   C:\Program Files\Trend Micro
2007-11-27 14:44 . 2007-11-28 11:08   18,432   --a------   C:\WINDOWS\system32\append.dll
2007-11-23 19:46 . 2007-11-27 20:52   784,311   ---hs----   C:\WINDOWS\system32\mvisdfcb.ini
2007-11-23 19:42 . 2007-11-23 19:42   <DIR>   d--------   C:\Documents and Settings\Suzanne Dement\Application Data\ultra
2007-11-23 19:41 . 2007-11-23 19:41   <DIR>   d--------   C:\Program Files\E404 Helper
2007-11-21 19:04 . 2007-11-23 19:40   775,892   ---hs----   C:\WINDOWS\system32\sgecreva.ini
2007-11-21 18:07 . 2005-03-20 23:54   9,728   --a------   C:\Documents and Settings\Suzanne Dement\Application Data\printer.exe
2007-11-21 18:05 . 2007-11-27 20:46   10,240   --a------   C:\Program Files\spoolsv.exe
2007-11-21 17:48 . 2005-05-10 12:10   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-21 17:48 . 2005-05-10 12:00   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-11-21 17:48 . 2005-05-10 11:45   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Intel
2007-11-21 17:48 . 2007-02-06 12:01   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Application Data\Gtek
2007-11-20 20:44 . 2007-11-20 20:45   <DIR>   d--------   C:\Program Files\Windows Live Safety Center
2007-11-20 20:32 . 2007-11-20 20:32   2,238   --a------   C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-11-20 20:23 . 2007-11-20 20:23   1,147,424   --a------   C:\Install
2007-11-20 20:23 . 2007-11-20 20:23   104,448   --a------   C:\WINDOWS\system32\drvnib.dll
2007-11-20 20:23 . 2007-11-20 20:23   37,376   --a------   C:\WINDOWS\system32\fcccawv.dll
2007-11-20 20:23 . 2007-11-20 20:23   36,864   --a------   C:\WINDOWS\system32\pmnnnkl.dll
2007-11-20 20:23 . 2007-11-20 20:23   123   --a------   C:\Documents and Settings\Suzanne Dement\mit.bat
2007-11-20 20:20 . 2007-11-28 11:05   <DIR>   d--hs----   C:\WINDOWS\U3V6YW5uZSBEZW1lbnQ
2007-11-20 20:20 . 2007-11-20 20:27   <DIR>   d--------   C:\WINDOWS\system32\cc1
2007-11-20 20:20 . 2007-11-20 20:20   <DIR>   d--------   C:\Temp\abW9
2007-11-20 20:20 . 2007-11-28 11:05   <DIR>   d--------   C:\Temp
2007-11-20 20:20 . 2007-11-20 20:20   36,352   ---------   C:\WINDOWS\system32\vtsqomk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 02:51   ---------   d-----w   C:\Documents and Settings\Suzanne Dement\Application Data\Lavasoft
2007-11-21 02:17   ---------   d-----w   C:\Documents and Settings\Suzanne Dement\Application Data\Apple Computer
2006-12-03 01:05   2,522   ----a-w   C:\Program Files\func.js
2006-11-25 07:57   482   ----a-w   C:\Program Files\Del.js
2006-09-28 00:00   563,712   ----a-w   C:\Documents and Settings\Suzanne Dement\gotomypc_370.exe
2006-06-08 07:02   2,048   ----a-w   C:\Program Files\func.exe
2005-07-29 22:24   472   --sha-r   C:\WINDOWS\U3V6YW5uZSBEZW1lbnQ\oapdsqcRtm1HtqY5vBk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{158A95B4-1F79-3B06-78BF-0424CDB17C2E}]
         C:\Program Files\Ykxlmrvc\xcbnbvcl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89E15DBE-E182-4BA8-A217-A9F85ABBCEF8}]
         C:\WINDOWS\system32\jkhhi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA227B4-DE6E-440E-BB55-9D073BA9B31F}]
2007-08-02 07:43   282624   --a------   C:\Program Files\Windows NT\holesudu83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF7EF472-C393-4A2A-A9E1-C18488545F3C}]
2007-08-02 07:43   282624   --a------   C:\Program Files\Windows NT\holesudu4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PestTrap"="C:\Program Files\PestTrap\PestTrap.exe" []
"Nijpymvp"="C:\Documents and Settings\Suzanne Dement\Application Data\?asks\s?rvices.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Sen"="C:\PROGRA~1\COMMON~1\MCROSO~1.NET\chkdsk.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 15:33]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 13:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 20:00]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-05-10 12:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"Venturi Configurator"="C:\Program Files\Venturi2\Configurator\ventcfg.exe" [2004-03-08 13:48]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18]
"ESDUSBMon.exe"="C:\WINDOWS\system32\ESDUSBMon.exe" [2005-05-26 20:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\append.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll, xlibgfl254.dll

S3 nwusbmdm;Novatel Wireless Merlin CDMA EV-DO Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
S3 nwusbser;Novatel Wireless Merlin CDMA EV-DO Status Port;C:\WINDOWS\system32\DRIVERS\nwusbser.sys
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 18:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 11:08:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 11:09:20 - machine was rebooted
.
   --- E O F ---

undoFix V6.6.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 10:33:55 AM 11/28/2007

Listing files found while scanning....

C:\windows\system32\drvnibr.dll
C:\windows\system32\ihhkj.ini
C:\windows\system32\ihhkj.ini2
C:\WINDOWS\system32\jctzxafg.dll
C:\windows\system32\jctzxafg.dllbox
C:\windows\system32\jkhhi.dll
C:\windows\system32\npkmscxj.dll
C:\WINDOWS\system32\vtsqomk.dll

Beginning removal...

Attempting to delete C:\windows\system32\drvnibr.dll
C:\windows\system32\drvnibr.dll Has been deleted!

Attempting to delete C:\windows\system32\ihhkj.ini
C:\windows\system32\ihhkj.ini Has been deleted!

Attempting to delete C:\windows\system32\ihhkj.ini2
C:\windows\system32\ihhkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jctzxafg.dll
C:\WINDOWS\system32\jctzxafg.dll Has been deleted!

Attempting to delete C:\windows\system32\jctzxafg.dllbox
C:\windows\system32\jctzxafg.dllbox Has been deleted!

Attempting to delete C:\windows\system32\jkhhi.dll
C:\windows\system32\jkhhi.dll Has been deleted!

Attempting to delete C:\windows\system32\npkmscxj.dll
C:\windows\system32\npkmscxj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqomk.dll
C:\WINDOWS\system32\vtsqomk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 10:51:43 AM 11/28/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:06 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\ESDUSBMon.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {158A95B4-1F79-3B06-78BF-0424CDB17C2E} - C:\Program Files\Ykxlmrvc\xcbnbvcl.dll (file missing)
O2 - BHO: (no name) - {89E15DBE-E182-4BA8-A217-A9F85ABBCEF8} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: (no name) - {DEA227B4-DE6E-440E-BB55-9D073BA9B31F} - C:\Program Files\Windows NT\holesudu83122.dll
O2 - BHO: (no name) - {EF7EF472-C393-4A2A-A9E1-C18488545F3C} - C:\Program Files\Windows NT\holesudu4444.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
O4 - HKCU\..\Run: [Nijpymvp] "C:\Documents and Settings\Suzanne Dement\Application Data\?asks\s?rvices.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\MCROSO~1.NET\chkdsk.exe" -vt ndrv
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\append.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: WLANKEEPER - IntelÂ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7280 bytes

guestolo · « **Reply #3 on:** November 28, 2007, 12:53:48 PM »

We have a bit more cleaning to do
But can you supply the next log first please

supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

sndement · « **Reply #4 on:** November 28, 2007, 01:46:53 PM »

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Adobe Shockwave Player
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Broadcom Management Programs 2
Conexant D110 MDC V.9x Modem
Digital Line Detect
EPSON Advanced Printer Driver 3
HijackThis 2.0.2
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Intel® PROSet/Wireless Software
InterActual Player
Internal Network Card Power Management
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_03
Macromedia Contribute 3
Macromedia Flash Player
mCore
mDrWiFi
Merlin V620 CDMA EV-DO PC Card Device Driver
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Professional Edition 2003
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
mSSO
mToolkit
mWlsSafe
mXML
mZConfig
Portfolio Browser
PowerDVD 5.3
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Ultra soft
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Venturi Client 2.3
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows Media Recorder
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086

guestolo · « **Reply #5 on:** November 28, 2007, 02:53:02 PM »

Let's do some more cleaning
you will need a few more tools and save them to the infected computers desktop

==Download, save and unzip to it's own folder
HostsXpert
Open the Extracted HostsXpert folder and double click on HostsXpert.exe
Click the Restore MS host file button
OK the prompt, then exit

==Download DelDomains.inf
Right click on the link and choose Save Target As or Save Link As
Depending if you use IE or Mozilla
http://www.mvps.org/winhelp2002/DelDomains.inf
Save this too desktop

Afterwards:
Right click on DelDomains.inf and choose Install from the menu bar
Don't worry if it appears that nothing happened, this is normal

Download to your desktop "FixPolicies.exe", a self-extracting ZIP archive from HERE or
Direct Download

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.

Reboot the computer
Back in Windows
Access your Add/remove programs and remove the following
Java 2 Runtime Environment, SE v1.4.2_03
Viewpoint Media Player

Don't reboot the computer yet, instead

==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote

File::
C:\WINDOWS\system32\append.dll
C:\Program Files\func.js
C:\Program Files\Del.js
C:\Program Files\func.exe
C:\WINDOWS\system32\vtsqomk.dll
C:\WINDOWS\system32\drvnib.dll
C:\WINDOWS\system32\fcccawv.dll
C:\WINDOWS\system32\pmnnnkl.dll
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
C:\Program Files\spoolsv.exe
C:\WINDOWS\system32\sgecreva.ini
C:\WINDOWS\system32\mvisdfcb.ini
C:\Documents and Settings\Suzanne Dement\mit.bat
C:\WINDOWS\system32\VundoFixSVC.exe
C:\Program Files\Windows NT\holesudu83122.dll
C:\Program Files\Windows NT\holesudu4444.dll

Folder::
C:\Program Files\E404 Helper
C:\VundoFix Backups
C:\WINDOWS\U3V6YW5uZSBEZW1lbnQ
C:\WINDOWS\system32\cc1
C:\Temp\abW9
C:\Program Files\Ykxlmrvc
C:\Program Files\PestTrap

DirLook::
C:\Temp

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PestTrap"=-
"Nijpymvp"=-
"Sen"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{158A95B4-1F79-3B06-78BF-0424CDB17C2E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89E15DBE-E182-4BA8-A217-A9F85ABBCEF8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA227B4-DE6E-440E-BB55-9D073BA9B31F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF7EF472-C393-4A2A-A9E1-C18488545F3C}]

Save this as txtfile on your desktop
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start
Don't doubleclick on it, let it complete

When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..

Install the latest version of Sun Java from this link
http://www.java.com/en/download/manual.jsp
Save the OFFLINE installer to desktop then double click on it to install and follow the prompts

Download and install the latest version of CCleaner
From here
http://www.filehippo.com/download_ccleaner/

NOTE: During install, you will be prompted to Create Desktop icon, install yahoo toolbar etc...
UNCHECK ALL Options Except for Desktop shortcut icon
Open CCleaner from the desktop shortcut
Select the Options button
Then select Advanced
UNCheck "Only delete files in Windows Temp folders older than 48 hours"
Select the Cleaner button
Run Cleaner>>Ok the Prompt
Let this finish
When finished
Exit

Download Dr.Web CureIt to the desktop from this link
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Double click to run Dr.Web-cureit.exe from desktop

Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer

Afterwards, Post back all the following

1. Post a fresh hijackthis log
2. Post the new log from Combofix
3. Post the report from Dr.Web Cureit

sndement · « **Reply #6 on:** November 28, 2007, 06:13:39 PM »

37521.exe;c:\documents and settings\suzanne dement\application data;Trojan.DownLoader.36835;Deleted.;
aolconnfix.exe;C:\;Trojan.PWS.Gamania.origin;Incurable.Moved.;
49181.exe;C:\Documents and Settings\Suzanne Dement\Application Data;Trojan.DownLoader.36835;Deleted.;
pcpriv.exe;C:\Documents and Settings\Suzanne Dement\Application Data;Trojan.DownLoader.36408;Deleted.;
printer.exe;C:\Documents and Settings\Suzanne Dement\Application Data;Trojan.Fakealert.378;Deleted.;
GTDownDE_87.ocx;C:\i386;Adware.Gdown;Moved.;
autorun.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup;Trojan.Fakealert.378;Deleted.;
findfast.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\Suzanne Dement\Start Menu\Programs\Startup;Trojan.Fakealert.378;Deleted.;
3269.exe.vir;C:\qoobox\Quarantine\C\Program Files;Trojan.DownLoader.based;Deleted.;
func.exe.vir;C:\qoobox\Quarantine\C\Program Files;Trojan.Click.1237;Deleted.;
spoolsv.exe.vir;C:\qoobox\Quarantine\C\Program Files;Trojan.Click.origin;Incurable.Moved.;
xloader10181.exe.vir;C:\qoobox\Quarantine\C\Program Files;Trojan.Fakealert;Deleted.;
lawu.dll.vir;C:\qoobox\Quarantine\C\Program Files\Common Files;Trojan.StartPage.19992;Deleted.;
lawu832.dll.vir;C:\qoobox\Quarantine\C\Program Files\Common Files;Trojan.StartPage.19992;Deleted.;
lawu862.dll.vir;C:\qoobox\Quarantine\C\Program Files\Common Files;Trojan.StartPage.19992;Deleted.;
Yazzle1162OinAdmin.exe.vir;C:\qoobox\Quarantine\C\Program Files\Common Files;Adware.ClickSpring;Moved.;
Yazzle1549OinAdmin.exe.vir\data001;C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1549OinAdmin.exe.vir;Adware.MediaTicket.origin;;
Yazzle1549OinAdmin.exe.vir\data002;C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1549OinAdmin.exe.vir;Trojan.PurityAd.origin;;
Yazzle1549OinAdmin.exe.vir;C:\qoobox\Quarantine\C\Program Files\Common Files;Archive contains infected objects;Moved.;
chkdsk.exe.vir;C:\qoobox\Quarantine\C\Program Files\Common Files\MCROSO~1.NET;Trojan.DownLoader.22753;Deleted.;
holesudu4444.dll.vir;C:\qoobox\Quarantine\C\Program Files\Windows NT;Adware.Ttc;Moved.;
holesudu83122.dll.vir;C:\qoobox\Quarantine\C\Program Files\Windows NT;Adware.Ttc;Moved.;
jctzxafg.dll.bad.vir;C:\qoobox\Quarantine\C\VundoFix Backups;Trojan.Fakealert.372;Deleted.;
npkmscxj.dll.bad.vir;C:\qoobox\Quarantine\C\VundoFix Backups;Trojan.Fakealert.372;Deleted.;
avp.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.25873;Deleted.;
mgrs.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.25873;Deleted.;
mrofinu1000106.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.31817;Deleted.;
mrofinu77.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.DownLoader.31817;Deleted.;
shell.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.Fakealert.378;Deleted.;
agrhoxkj.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.232;Deleted.;
bjhtsokx.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
fcccawv.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.230;Deleted.;
ibncxiq.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Adware.ClickSpring.origin;Moved.;
ldcore.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoader.37335;Deleted.;
printer.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.378;Deleted.;
qyfufaql.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.25;Deleted.;
rlprtgtx.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
spoolvs.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.378;Deleted.;
vpbwnuce.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
winkvs32.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Mezzia;Deleted.;
ybdhdmdg.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.25;Deleted.;
dnslook11.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\b1;Trojan.DownLoader.5013;Deleted.;
asappsrv.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\U3V6YW5uZSBEZW1lbnQ;Trojan.Proxy.493;Deleted.;
A0036553.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393;Adware.Ttc;Moved.;
A0036554.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393;Trojan.DownLoader.24715;Deleted.;
A0036555.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393;Trojan.Proxy.493;Deleted.;
A0036556.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393;Trojan.PurityAd.origin;Incurable.Moved.;
A0036561.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393;Trojan.DownLoader.31817;Deleted.;
A0036566.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393;Trojan.Fakealert;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\snapshot;Adware.Ttc;Moved.;
A0036806.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP398;Trojan.Click.4740;Deleted.;
A0036811.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP398;Adware.MyWay;Moved.;
A0037851.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP398;Trojan.DownLoader.based;Deleted.;
A0037853.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP398;Adware.Ttc;Moved.;
A0037857.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP398;Trojan.DnsChange;Deleted.;
A0037864.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP398;Trojan.DownLoader.22753;Deleted.;
A0038874.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP398;Trojan.DownLoader.25873;Deleted.;
A0038875.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP399;Trojan.Fakealert.378;Deleted.;
A0038876.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP399;Trojan.Fakealert.378;Deleted.;
A0038878.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP399;Trojan.Fakealert.378;Deleted.;
A0038879.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP399;Trojan.Fakealert.378;Deleted.;
A0038908.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400;Trojan.Fakealert.378;Deleted.;
A0038909.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400;Trojan.Fakealert.378;Deleted.;
A0038910.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400;Trojan.Fakealert.378;Deleted.;
A0038911.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400;Trojan.Fakealert.378;Deleted.;
A0039885.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Fakealert.378;Deleted.;
A0039886.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Fakealert.378;Deleted.;
A0039894.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Adware.ClickSpring;Moved.;
A0039896.exe\data001;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401\A0039896.exe;Adware.MediaTicket.origin;;
A0039896.exe\data002;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401\A0039896.exe;Trojan.PurityAd.origin;;
A0039896.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Archive contains infected objects;Moved.;
A0039901.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.DownLoader.31817;Deleted.;
A0039902.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.DownLoader.31817;Deleted.;
A0039903.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.EzulaAd;Deleted.;
A0039904.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.EzulaAd;Deleted.;
A0039905.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.EzulaAd;Deleted.;
A0039910.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Adware.ClickSpring.origin;Moved.;
A0039911.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.StartPage.19992;Deleted.;
A0039912.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.StartPage.19992;Deleted.;
A0039913.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.StartPage.19992;Deleted.;
A0039914.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Mezzia;Deleted.;
A0039915.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Virtumod.232;Deleted.;
A0039916.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Juan.25;Deleted.;
A0039918.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Juan.25;Deleted.;
A0039920.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Proxy.493;Deleted.;
A0039921.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.DownLoader.22753;Deleted.;
A0039923.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.DownLoader.5013;Deleted.;
A0039931.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.DownLoader.37335;Deleted.;
A0039932.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Fakealert.378;Deleted.;
A0039933.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.DownLoader.25873;Deleted.;
A0039937.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.DownLoader.25873;Deleted.;
A0039939.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Fakealert.378;Deleted.;
A0039940.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Fakealert.378;Deleted.;
A0039942.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.DownLoader.based;Deleted.;
A0039943.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401;Trojan.Fakealert;Deleted.;
A0040176.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP404;Trojan.Click.1237;Deleted.;
A0040177.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP404;Trojan.Click.origin;Incurable.Moved.;
A0040178.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP404;Adware.Ttc;Moved.;
A0040179.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP404;Adware.Ttc;Moved.;
A0040183.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP404;Trojan.Virtumod.230;Deleted.;
A0040342.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP406;Trojan.DownLoader.36835;Deleted.;
A0040344.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP406;Trojan.PWS.Gamania.origin;Incurable.Moved.;
A0040345.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP406;Trojan.DownLoader.36408;Deleted.;
A0040346.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP406;Trojan.Fakealert.378;Deleted.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:22 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ESDUSBMon.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\append.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: WLANKEEPER - IntelÂ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6207 bytes

ComboFix 07-11-28.2 - Suzanne Dement 2007-11-28 15:48:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.667 [GMT -6:00]
Running from: C:\Documents and Settings\Suzanne Dement\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Suzanne Dement\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Suzanne Dement\mit.bat
C:\Program Files\Del.js
C:\Program Files\func.exe
C:\Program Files\func.js
C:\Program Files\spoolsv.exe
C:\Program Files\Windows NT\holesudu4444.dll
C:\Program Files\Windows NT\holesudu83122.dll
C:\WINDOWS\system32\append.dll
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
C:\WINDOWS\system32\drvnib.dll
C:\WINDOWS\system32\fcccawv.dll
C:\WINDOWS\system32\mvisdfcb.ini
C:\WINDOWS\system32\pmnnnkl.dll
C:\WINDOWS\system32\sgecreva.ini
C:\WINDOWS\system32\vtsqomk.dll
C:\WINDOWS\system32\VundoFixSVC.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Suzanne Dement\mit.bat
C:\Program Files\Del.js
C:\Program Files\E404 Helper
C:\Program Files\E404 Helper\e404.v6.dll
C:\Program Files\func.exe
C:\Program Files\func.js
C:\Program Files\spoolsv.exe
C:\Program Files\Windows NT\holesudu4444.dll
C:\Program Files\Windows NT\holesudu83122.dll
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\VundoFix Backups
C:\VundoFix Backups\drvnibr.dll.bad
C:\VundoFix Backups\ihhkj.ini.bad
C:\VundoFix Backups\ihhkj.ini2.bad
C:\VundoFix Backups\jctzxafg.dll.bad
C:\VundoFix Backups\jctzxafg.dllbox.bad
C:\VundoFix Backups\jkhhi.dll.bad
C:\VundoFix Backups\npkmscxj.dll.bad
C:\VundoFix Backups\vtsqomk.dll.bad
C:\WINDOWS\system32\append.dll
C:\WINDOWS\system32\cc1
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
C:\WINDOWS\system32\drvnib.dll
C:\WINDOWS\system32\fcccawv.dll
C:\WINDOWS\system32\mvisdfcb.ini
C:\WINDOWS\system32\pmnnnkl.dll
C:\WINDOWS\system32\sgecreva.ini
C:\WINDOWS\system32\vtsqomk.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\U3V6YW5uZSBEZW1lbnQ
C:\WINDOWS\U3V6YW5uZSBEZW1lbnQ\oapdsqcRtm1HtqY5vBk.vbs

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-28 15:32 . 2007-11-28 15:32   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\WinZip
2007-11-27 21:30 . 2005-04-03 23:03   204,832   --a------   C:\Documents and Settings\Suzanne Dement\Application Data\pcpriv.exe
2007-11-27 21:18 . 2007-11-27 21:18   <DIR>   d--------   C:\Program Files\Trend Micro
2007-11-27 14:44 . 2007-11-28 15:51   18,432   --a------   C:\WINDOWS\system32\append.dll
2007-11-23 19:42 . 2007-11-23 19:42   <DIR>   d--------   C:\Documents and Settings\Suzanne Dement\Application Data\ultra
2007-11-21 18:07 . 2005-03-20 23:54   9,728   --a------   C:\Documents and Settings\Suzanne Dement\Application Data\printer.exe
2007-11-21 17:48 . 2005-05-10 12:10   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-21 17:48 . 2005-05-10 12:00   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-11-21 17:48 . 2005-05-10 11:45   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Intel
2007-11-21 17:48 . 2007-02-06 12:01   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Application Data\Gtek
2007-11-20 20:44 . 2007-11-20 20:45   <DIR>   d--------   C:\Program Files\Windows Live Safety Center
2007-11-20 20:23 . 2007-11-20 20:23   1,147,424   --a------   C:\Install
2007-11-20 20:20 . 2007-11-28 15:49   <DIR>   d--------   C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 21:42   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 02:51   ---------   d-----w   C:\Documents and Settings\Suzanne Dement\Application Data\Lavasoft
2007-11-21 02:17   ---------   d-----w   C:\Documents and Settings\Suzanne Dement\Application Data\Apple Computer
2006-09-28 00:00   563,712   ----a-w   C:\Documents and Settings\Suzanne Dement\gotomypc_370.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----

2007-11-20 20:20   1858   --a------   C:\Temp\abW9\tPho.log

((((((((((((((((((((((((((((( snapshot@2007-11-28_11.08.51.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 21:32:39   632,320   ----a-r   C:\WINDOWS\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}\IconCD95F66110.exe
+ 2007-11-28 21:32:39   29,184   ----a-r   C:\WINDOWS\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}\IconCD95F6617.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 15:33]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 13:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 20:00]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-05-10 12:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"Venturi Configurator"="C:\Program Files\Venturi2\Configurator\ventcfg.exe" [2004-03-08 13:48]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18]
"ESDUSBMon.exe"="C:\WINDOWS\system32\ESDUSBMon.exe" [2005-05-26 20:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\append.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll

S3 nwusbmdm;Novatel Wireless Merlin CDMA EV-DO Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
S3 nwusbser;Novatel Wireless Merlin CDMA EV-DO Status Port;C:\WINDOWS\system32\DRIVERS\nwusbser.sys
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 18:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 15:51:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 15:53:14 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-28 11:09
.
   --- E O F ---

guestolo · « **Reply #7 on:** November 28, 2007, 10:38:33 PM »

Let's try a couple more steps

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O20 - AppInit_DLLs: C:\WINDOWS\system32\append.dll

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Delete cfscript.exe on desktop, let's recreate it again

==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote

File::
C:\WINDOWS\system32\append.dll
Folder::
C:\Temp
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile on your desktop
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start
Don't doubleclick on it, let it complete

When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..

If combofix doesn't require a reboot
Can you reboot now anyways

Back in Windows
I don't see any Anti-Virus software installed on your computer
Dr.Web found a few extra files to remove, but it doesn't replace having your own realtime AV scanner installed
I suggest that you install one of these free versions if you don't have your own
ONLY install one, more than one may, and probably will cause conflicts

AVG 7 by Grisoft
OR
Avast Home Edition by ALWIL
OR
Avira AntiVir Personal Edition Classic

Decide which of the above 3 you like the best
Install, ensure it is updated and do a complete system scan
Reboot the computer afterwards

Back in Windows

1. Post a fresh hijackthis log
2. Post the log again from Combofix

TheTechGuide Forum

News:

Author Topic: HJT Log Help (Read 969 times)

sndement

HJT Log Help

guestolo

HJT Log Help

sndement

HJT Log Help

guestolo

HJT Log Help

sndement

HJT Log Help

guestolo

HJT Log Help

sndement

HJT Log Help

guestolo

HJT Log Help