Smitfraud_C, IE redirect, SecurityCenter pop-up

alex23 · 2008/03/01

Hi. After visiting some websites I started to get redirect to: directnameservice.com/r.php?sid=0&aid=0&pn=&said=0.
After running spybot for the first time it found these viruses: zlob.downloader.vcd, smitfraud-c (4times), double click, fast click, media plex, adrenolver (3times), casalemedia. After fixing them, rebooting and starting IE it still redirected to some security center with ofers for free scan.
Run again the Spybot and AVG (found nothing) and fixed.
Restarted, now my desktop changed to a red color with warnings that my system is in danger. After running spybot few times the desktop background is white now (I still have my shortcuts visible). After running Spybot repeatedly with no activity between runs, it each times finds only Smitfraud_C in 3 locations.
I would very much appreciate any help in fixing these problems.
I am attaching Deckard's main file per your instuctions. (I had to use ATF cleaner as well).
Thanks in advance, Alex.

Deckard's System Scanner v20071014.68
Run by eee on 2008-03-01 19:11:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 1 Restore Point(s) --
1: 2008-03-01 23:58:53 UTC - RP113 - Deckard's System Scanner Restore Point

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).

-- HijackThis (run as eee.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:57 PM, on 03/01/08
Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\brsvc01a.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\wanmpsvc.exe
C:\WINDOWS.1\System32\MsPMSPSv.exe
C:\WINDOWS.1\System32\wuauclt.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\msiexec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Documents and Settings\eee\Desktop\dss.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\HIJACK~1\eee.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AboutBlank Class - {489C5DDD-AB4C-48EC-B397-505BABF9B4BD} - C:\DOCUME~1\eee\LOCALS~1\Temp\ieobj.dll (file missing)
O2 - BHO: (no name) - {4BECEDA6-487E-47E8-835E-4468F04445CC} - c:\windows.1\system32\xrtmrcif.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SXG Advisor - {D5A6B004-5BF1-4FAC-AE21-4DF4BA75FC1C} - C:\WINDOWS.1\dgtxrdflko.dll
O2 - BHO: (no name) - {F080BCE1-71CD-4DFA-9C09-609179BA25A4} - C:\WINDOWS.1\System32\camocxi.dll (file missing)
O2 - BHO: (no name) - {F310ADC4-242C-4B67-8CDE-5DFC139B0D20} - c:\windows.1\system32\cddbwomanagerroxios.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.1\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [0437l7edsms6] C:\WINDOWS.1\system32\0437l7edsms6.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS.1\System32\rpcc.exe
O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS.1\trjdwnl.dll
O4 - HKLM\..\Run: [bantool] bantool.exe
O4 - HKLM\..\Run: [winavx] C:\WINDOWS.1\system32\WinAvXX.exe
O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS.1\system32\anti_troj.exe
O4 - HKLM\..\Run: [vmlib] vmlib.exe
O4 - HKLM\..\Run: [cssrss.exe] cssrss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [0437l7edsms6] C:\WINDOWS.1\system32\0437l7edsms6.exe
O4 - HKCU\..\Run: [SpyKillerPro] C:\Program Files\SpyKillerPro\SpyKillerPro.exe
O4 - HKCU\..\Run: [quartz] C:\WINDOWS.1\System32\quartz.exe
O4 - HKCU\..\Run: [dmime] C:\WINDOWS.1\System32\dmime.exe
O4 - HKCU\..\Run: [Outerinfo] C:\WINDOWS.1\Outerinfo.exe
O4 - HKCU\..\Run: [winavx] C:\WINDOWS.1\system32\WinAvXX.exe
O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS.1\system32\anti_troj.exe
O4 - HKCU\..\Run: [windows update loader] C:\WINDOWS.1\xpupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Reboot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.1\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.1\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.1\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O20 - Winlogon Notify: tcdtndow - cddbwomanagerroxios.dll (file missing)
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS.1\System32\svshost.dll (file missing)
O21 - SSODL: bxlrvps - {6F52A766-F049-44BB-8098-B82774DEC84F} - C:\WINDOWS.1\bxlrvps.dll (file missing)
O21 - SSODL: alofkmn - {B61C0D68-3812-4015-9211-6042809CAEB0} - C:\WINDOWS.1\alofkmn.dll
O21 - SSODL: DrvRom - {5f159d74-f397-410e-8ded-152607d8244c} - C:\WINDOWS.1\Installer\{5f159d74-f397-410e-8ded-152607d8244c}\DrvRom.dll (file missing)
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\eee\LOCALS~1\Temp\~~install.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS.1\System32\brsvc01a.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS.1\System32\CcEvtSvc.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS.1\System32\svchost.exe:ext.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS.1\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS.1\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS.1\privacy_danger\index.htm

--
End of file - 10253 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows.1\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 catchme - c:\docume~1\eee\locals~1\temp\catchme.sys (file missing)
S3 FTDIBUS (USB Serial Converter Driver) - c:\windows.1\system32\drivers\ftdibus.sys <Not Verified; FTDI Ltd.; FTDIChip CDM Drivers>
S3 SpyKillerProFilter (02/26/088:34:28 PM) - c:\program files\spykillerpro\sss.sys (file missing)
S3 usbbus (LGE CDMA Composite USB Device) - c:\windows.1\system32\drivers\lgusbbus.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Multi function Driver>
S3 UsbDiag (LGE CDMA USB Serial Port) - c:\windows.1\system32\drivers\lgusbdiag.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Diagnostics Driver>
S3 USBModem (LGE CDMA USB Modem) - c:\windows.1\system32\drivers\lgusbmodem.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Modem Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 CcEvtSvc - c:\windows.1\system32\ccevtsvc.exe -k netsvcs
S2 FCI - c:\windows.1\system32\svchost.exe:ext.exe (file missing)
S3 stllssvr - c:\program files\common files\surething shared\stllssvr.exe <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_23151019&REV_02\3&13C0B0C5&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_23151019&REV_02\3&13C0B0C5&0&10
Service:

-- Files created between 2008-02-01 and 2008-03-01 -----------------------------

2008-02-26 20:35:30 278528 --a------ C:\WINDOWS.1\dgtxrdflko.dll
2008-02-26 20:35:30 258048 --a------ C:\WINDOWS.1\alofkmn.dll <Not Verified; ; alofkmn>
2008-02-26 20:33:35 87552 --a------ C:\WINDOWS.1\System32\CcEvtSvc.exe
2008-02-18 09:44:47 0 d-------- C:\atxWeb
2008-02-18 09:32:02 0 d-------- C:\Program Files\TaxCut Business 2007
2008-02-18 09:31:28 143360 --a------ C:\WINDOWS.1\System32\TAXPDF.DLL <Not Verified; Symbol Technologies, Inc.; TaxPDF API>
2008-02-18 09:30:21 0 d--hs---- C:\WINDOWS.1\ftpcache
2008-02-08 08:13:55 691545 --a------ C:\WINDOWS.1\unins000.exe
2008-02-08 08:13:55 3460 --a------ C:\WINDOWS.1\unins000.dat

-- Find3M Report ---------------------------------------------------------------

2008-02-29 23:05:40 318369 --a------ C:\Program Files\HiJackThis.zip
2008-02-29 07:32:06 0 d-------- C:\Documents and Settings\eee\Application Data\AVG7
2008-02-18 09:31:23 0 d-------- C:\Program Files\Common Files\ATX
2008-02-03 19:00:00 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-03 18:59:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-03 18:57:08 0 d-------- C:\Program Files\TurboTax
2008-01-31 20:16:01 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-01-31 20:15:58 0 d-------- C:\Program Files\InterActual
2008-01-31 20:15:58 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-01-31 20:13:56 0 d-------- C:\Documents and Settings\eee\Application Data\Roxio
2008-01-31 20:13:54 0 d-------- C:\Program Files\Roxio
2008-01-31 20:13:54 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-01-31 20:11:58 0 d-------- C:\Program Files\America Online 9.0a
2008-01-27 15:33:19 0 d-------- C:\Program Files\Common Files
2008-01-24 19:01:28 0 d-------- C:\Documents and Settings\eee\Application Data\ICAClient
2008-01-24 18:50:26 0 d-------- C:\Program Files\Citrix
2008-01-17 22:52:47 664 --a------ C:\WINDOWS.1\System32\d3d9caps.dat
2008-01-01 18:38:31 0 d-------- C:\Documents and Settings\eee\Application Data\Snapfish
2007-12-25 00:13:04 41032 --a------ C:\Documents and Settings\eee\Application Data\GDIPFONTCACHEV1.DAT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}]
C:\DOCUME~1\eee\LOCALS~1\Temp\ieobj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BECEDA6-487E-47E8-835E-4468F04445CC}]
c:\windows.1\system32\xrtmrcif.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5A6B004-5BF1-4FAC-AE21-4DF4BA75FC1C}]
02/26/08 12:03 PM 278528 --a------ C:\WINDOWS.1\dgtxrdflko.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F080BCE1-71CD-4DFA-9C09-609179BA25A4}]
C:\WINDOWS.1\System32\camocxi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F310ADC4-242C-4B67-8CDE-5DFC139B0D20}]
c:\windows.1\system32\cddbwomanagerroxios.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent "= "irprops.cpl" [12/16/03 03:31 PM C:\WINDOWS.1\system32\irprops.cpl]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/03 08:44 PM]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [02/12/07 11:05 AM]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [04/15/07 12:55 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [04/15/07 12:55 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/21/07 07:45 PM]
"Cmaudio "= "cmicnfg.cpl" []
"SoundMan "= "SOUNDMAN.EXE" [07/22/05 02:00 AM C:\WINDOWS.1\SOUNDMAN.EXE]
"HostManager "= "C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe" [04/12/07 04:23 PM]
"@ "=" " []
"RoxWatchTray "= "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [01/11/07 01:40 PM]
"DMXLauncher "= "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [01/17/07 05:23 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/07 04:11 AM]
"0437l7edsms6 "= "C:\WINDOWS.1\system32\0437l7edsms6.exe" []
"WindowsHive "= "C:\WINDOWS.1\System32\rpcc.exe" []
"mmnext06 "= "C:\WINDOWS.1\trjdwnl.dll" []
"bantool "= "bantool.exe" []
"winavx "= "C:\WINDOWS.1\system32\WinAvXX.exe" []
"anti_troj "= "C:\WINDOWS.1\system32\anti_troj.exe" []
"vmlib "= "vmlib.exe" []
"cssrss.exe "= "cssrss.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS.1\System32\ctfmon.exe" [12/16/03 03:25 PM]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [12/16/03 10:31 PM]
"Aim6 "=" " []
"0437l7edsms6 "= "C:\WINDOWS.1\system32\0437l7edsms6.exe" []
"Trackstick Manager.exe "=" " []
"SpyKillerPro "= "C:\Program Files\SpyKillerPro\SpyKillerPro.exe" []
"quartz "= "C:\WINDOWS.1\System32\quartz.exe" []
"dmime "= "C:\WINDOWS.1\System32\dmime.exe" []
"Outerinfo "= "C:\WINDOWS.1\Outerinfo.exe" []
"winavx "= "C:\WINDOWS.1\system32\WinAvXX.exe" []
"anti_troj "= "C:\WINDOWS.1\system32\anti_troj.exe" []
"windows update loader "= "C:\WINDOWS.1\xpupdate.exe" []

C:\Documents and Settings\eee\Start Menu\Programs\Startup\
Reboot.exe [10/01/04 1:01:50 AM]

C:\Documents and Settings\All Users.WINDOWS.1\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [05/15/03 4:19:50 AM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [04/15/07 12:54:36 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [02/13/01 4:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "=1 (0x1)
"NoActiveDesktopChanges "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "=1 (0x1)
"NoActiveDesktopChanges "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS.1\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946} "= C:\DOCUME~1\eee\LOCALS~1\Temp\~~install.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysRun "= {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS.1\System32\svshost.dll [ ]
"bxlrvps "= {6F52A766-F049-44BB-8098-B82774DEC84F} - C:\WINDOWS.1\bxlrvps.dll [ ]
"alofkmn "= {B61C0D68-3812-4015-9211-6042809CAEB0} - C:\WINDOWS.1\alofkmn.dll [02/26/08 12:03 PM 258048]
"DrvRom "= {5f159d74-f397-410e-8ded-152607d8244c} - C:\WINDOWS.1\Installer\{5f159d74-f397-410e-8ded-152607d8244c}\DrvRom.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tcdtndow]
cddbwomanagerroxios.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch DcomLaunch
xmlprov xmlprov

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jdzwvdnx

-- End of Deckard's System Scanner: finished at 2008-03-01 19:12:27 ------------

noahdfear · 2008/03/01

Hi Alex

Download SmitfraudFix by S!Ri, saving it to the desktop.

Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.

Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.

You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.

If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.

Reboot to normal mode when the tool completes.

Post the contents of C:\rapport.txt

Then, download ComboFix by sUBs from here, saving the file to your desktop.

It's best disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

alex23 · 2008/03/01

Thanks for a very fast reply!!
I followed your instructions and attached all logs.
Thanks again, the desktop background is already blue (OK) and IE goes directly to msn site (OK).

SmitFraudFix v2.299

Scan done at 21:03:29.42, 03/01/08
Run from C:\Documents and Settings\eee\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946} "= "Windows Installer Class "

[HKEY_CLASSES_ROOT\CLSID\{24E31EA9-FCE2-404F-BD80-20543565D946}\InProcServer32]
@= "C:\DOCUME~1\eee\LOCALS~1\Temp\~~install.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{24E31EA9-FCE2-404F-BD80-20543565D946}\InProcServer32]
@= "C:\DOCUME~1\eee\LOCALS~1\Temp\~~install.dll "

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS.1\dgtxrdflko.dll deleted.
C:\WINDOWS.1\alofkmn.dll deleted.

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7FBFC38B-8BDC-47E7-8DFC-7613D8D0EFB1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7FBFC38B-8BDC-47E7-8DFC-7613D8D0EFB1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7FBFC38B-8BDC-47E7-8DFC-7613D8D0EFB1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946} "= "Windows Installer Class "

[HKEY_CLASSES_ROOT\CLSID\{24E31EA9-FCE2-404F-BD80-20543565D946}\InProcServer32]
@= "C:\DOCUME~1\eee\LOCALS~1\Temp\~~install.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{24E31EA9-FCE2-404F-BD80-20543565D946}\InProcServer32]
@= "C:\DOCUME~1\eee\LOCALS~1\Temp\~~install.dll "

»»»»»»»»»»»»»»»»»»»»»»»» End

ComboFix 08-03-01.3 - eee 2008-03-01 21:20:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT -5:00]
Running from: C:\Documents and Settings\eee\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS.1\Downloaded Program Files\Temp
C:\WINDOWS.1\rs.txt
C:\WINDOWS.1\system32\CcEvtSvc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CCEVTSVC
-------\LEGACY_FCI
-------\CcEvtSvc
-------\FCI
-------\SpyKillerProFilter

((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-03-01 21:03 . 2008-03-01 21:03 3,570 --a------ C:\WINDOWS.1\system32\tmp.reg
2008-03-01 18:58 . 2008-03-01 18:58 <DIR> d-------- C:\Deckard
2008-03-01 17:31 . 2008-03-01 18:13 <DIR> d-------- C:\SDFix
2008-03-01 17:23 . 2008-02-29 23:05 318,369 --a------ C:\Program Files\HiJackThis.zip
2008-02-26 20:33 . 2008-02-26 20:33 87,552 --a------ C:\241.tmp
2008-02-26 20:33 . 2008-02-26 20:33 0 --a------ C:\243.tmp
2008-02-18 09:44 . 2008-02-18 09:44 <DIR> d-------- C:\atxWeb
2008-02-18 09:32 . 2008-02-24 15:25 <DIR> d-------- C:\Program Files\TaxCut Business 2007
2008-02-18 09:31 . 2006-09-12 11:13 143,360 --a------ C:\WINDOWS.1\system32\TAXPDF.DLL
2008-02-18 09:30 . 2008-02-18 09:30 <DIR> d--hs---- C:\WINDOWS.1\ftpcache
2008-02-08 08:13 . 2008-02-08 08:13 691,545 --a------ C:\WINDOWS.1\unins000.exe
2008-02-08 08:13 . 2008-02-08 08:13 3,460 --a------ C:\WINDOWS.1\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 12:32 --------- d-----w C:\Documents and Settings\eee\Application Data\AVG7
2008-02-18 14:31 --------- d-----w C:\Program Files\Common Files\ATX
2008-02-08 13:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2008-02-08 13:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 04:09 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\avg7
2008-02-04 00:00 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-03 23:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 23:57 --------- d-----w C:\Program Files\TurboTax
2008-02-01 01:16 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-02-01 01:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Roxio
2008-02-01 01:15 --------- d-----w C:\Program Files\InterActual
2008-02-01 01:15 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-02-01 01:13 --------- d-----w C:\Program Files\Roxio
2008-02-01 01:13 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-02-01 01:13 --------- d-----w C:\Documents and Settings\eee\Application Data\Roxio
2008-02-01 01:11 --------- d-----w C:\Program Files\America Online 9.0a
2008-01-25 00:01 --------- d-----w C:\Documents and Settings\eee\Application Data\ICAClient
2008-01-24 23:50 --------- d-----w C:\Program Files\Citrix
2007-12-25 05:13 41,032 ----a-w C:\Documents and Settings\eee\Application Data\GDIPFONTCACHEV1.DAT
2007-02-13 04:35 23,104 ----a-w C:\Documents and Settings\tt\Application Data\GDIPFONTCACHEV1.DAT
2004-09-24 15:45 76,463 ----a-w C:\Documents and Settings\Eug\hotsyncstrobe.zip
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS.1\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BECEDA6-487E-47E8-835E-4468F04445CC}]
c:\windows.1\system32\xrtmrcif.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F080BCE1-71CD-4DFA-9C09-609179BA25A4}]
C:\WINDOWS.1\System32\camocxi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F310ADC4-242C-4B67-8CDE-5DFC139B0D20}]
c:\windows.1\system32\cddbwomanagerroxios.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS.1\System32\ctfmon.exe" [2003-12-16 15:25 13824]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2003-12-16 22:31 1598464]
"Aim6 "=" " []
"0437l7edsms6 "= "C:\WINDOWS.1\system32\0437l7edsms6.exe" [ ]
"Trackstick Manager.exe "=" " []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent "= "irprops.cpl" [2003-12-16 15:31 441344 C:\WINDOWS.1\system32\irprops.cpl]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 20:44 65536]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2007-02-12 11:05 1121016]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-04-15 12:55 26112]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-04-15 12:55 77824]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 19:45 579072]
"Cmaudio "= "cmicnfg.cpl" []
"SoundMan "= "SOUNDMAN.EXE" [2005-07-22 02:00 81920 C:\WINDOWS.1\SOUNDMAN.EXE]
"HostManager "= "C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe" [2007-04-12 16:23 42032]
"RoxWatchTray "= "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-01-11 13:40 232184]
"DMXLauncher "= "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-01-17 05:23 109304]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 04:11 132496]
"0437l7edsms6 "= "C:\WINDOWS.1\system32\0437l7edsms6.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 21:06 219136]

C:\Documents and Settings\eee\Start Menu\Programs\Startup\
Reboot.exe [2004-10-01 01:01:50 334336]

C:\Documents and Settings\All Users.WINDOWS.1\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 04:19:50 217193]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [2007-04-15 12:54:36 36953]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bxlrvps "= {6F52A766-F049-44BB-8098-B82774DEC84F} - C:\WINDOWS.1\bxlrvps.dll [ ]
"DrvRom "= {5f159d74-f397-410e-8ded-152607d8244c} - C:\WINDOWS.1\Installer\{5f159d74-f397-410e-8ded-152607d8244c}\DrvRom.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tcdtndow]
cddbwomanagerroxios.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

R1 DLARTL_M;DLARTL_M;C:\WINDOWS.1\System32\Drivers\DLARTL_M.SYS [2007-02-08 22:05]
S2 jdzwvdnx;USB Mass Storage Controller;C:\WINDOWS.1\System32\svchost.exe [2008-02-26 20:33]
S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS.1\System32\Drivers\ICDUSB2.sys [2002-11-28 23:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch
xmlprov REG_MULTI_SZ xmlprov

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jdzwvdnx

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 21:25:55
Windows 5.1.2600 Service Pack 2, v.2055 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS.1\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS.1\System32\wdfmgr.exe
C:\WINDOWS.1\wanmpsvc.exe
C:\WINDOWS.1\System32\MsPMSPSv.exe
C:\WINDOWS.1\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-01 21:29:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-02 02:29:08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:26 PM, on 03/01/08
Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\wanmpsvc.exe
C:\WINDOWS.1\System32\MsPMSPSv.exe
C:\WINDOWS.1\System32\wuauclt.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\explorer.exe
C:\WINDOWS.1\system32\notepad.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {489C5DDD-AB4C-48EC-B397-505BABF9B4BD} - (no file)
O2 - BHO: (no name) - {4BECEDA6-487E-47E8-835E-4468F04445CC} - c:\windows.1\system32\xrtmrcif.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F080BCE1-71CD-4DFA-9C09-609179BA25A4} - C:\WINDOWS.1\System32\camocxi.dll (file missing)
O2 - BHO: (no name) - {F310ADC4-242C-4B67-8CDE-5DFC139B0D20} - c:\windows.1\system32\cddbwomanagerroxios.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.1\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [0437l7edsms6] C:\WINDOWS.1\system32\0437l7edsms6.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [0437l7edsms6] C:\WINDOWS.1\system32\0437l7edsms6.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Reboot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.1\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.1\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.1\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O20 - Winlogon Notify: tcdtndow - cddbwomanagerroxios.dll (file missing)
O21 - SSODL: bxlrvps - {6F52A766-F049-44BB-8098-B82774DEC84F} - C:\WINDOWS.1\bxlrvps.dll (file missing)
O21 - SSODL: DrvRom - {5f159d74-f397-410e-8ded-152607d8244c} - C:\WINDOWS.1\Installer\{5f159d74-f397-410e-8ded-152607d8244c}\DrvRom.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS.1\System32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS.1\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS.1\wanmpsvc.exe

--
End of file - 8744 bytes

noahdfear · 2008/03/01

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\241.tmp
C:\243.tmp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BECEDA6-487E-47E8-835E-4468F04445CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F080BCE1-71CD-4DFA-9C09-609179BA25A4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F310ADC4-242C-4B67-8CDE-5DFC139B0D20}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "0437l7edsms6 "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "0437l7edsms6 "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "bxlrvps "=-
 "DrvRom "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tcdtndow]
NetSvc::
jdzwvdnx
Driver::
jdzwvdnx
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a new HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

alex23 · 2008/03/01

Hi, Thanks again.
I followed the latest instructions and logs are attached.

ComboFix 08-03-01.3 - eee 2008-03-01 22:38:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.224 [GMT -5:00]
Running from: C:\Documents and Settings\eee\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\241.tmp
C:\243.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\241.tmp
C:\243.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_JDZWVDNX
-------\jdzwvdnx

((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-03-01 21:03 . 2008-03-01 21:03 3,570 --a------ C:\WINDOWS.1\system32\tmp.reg
2008-03-01 18:58 . 2008-03-01 18:58 <DIR> d-------- C:\Deckard
2008-03-01 17:31 . 2008-03-01 18:13 <DIR> d-------- C:\SDFix
2008-03-01 17:23 . 2008-02-29 23:05 318,369 --a------ C:\Program Files\HiJackThis.zip
2008-02-18 09:44 . 2008-02-18 09:44 <DIR> d-------- C:\atxWeb
2008-02-18 09:32 . 2008-02-24 15:25 <DIR> d-------- C:\Program Files\TaxCut Business 2007
2008-02-18 09:31 . 2006-09-12 11:13 143,360 --a------ C:\WINDOWS.1\system32\TAXPDF.DLL
2008-02-18 09:30 . 2008-02-18 09:30 <DIR> d--hs---- C:\WINDOWS.1\ftpcache
2008-02-08 08:13 . 2008-02-08 08:13 691,545 --a------ C:\WINDOWS.1\unins000.exe
2008-02-08 08:13 . 2008-02-08 08:13 3,460 --a------ C:\WINDOWS.1\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 12:32 --------- d-----w C:\Documents and Settings\eee\Application Data\AVG7
2008-02-27 01:33 13,824 ----a-w C:\WINDOWS.1\system32\svchost.exe
2008-02-18 14:31 --------- d-----w C:\Program Files\Common Files\ATX
2008-02-08 13:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2008-02-08 13:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 04:09 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\avg7
2008-02-04 00:00 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-03 23:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 23:57 --------- d-----w C:\Program Files\TurboTax
2008-02-01 01:16 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-02-01 01:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Roxio
2008-02-01 01:15 --------- d-----w C:\Program Files\InterActual
2008-02-01 01:15 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-02-01 01:13 --------- d-----w C:\Program Files\Roxio
2008-02-01 01:13 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-02-01 01:13 --------- d-----w C:\Documents and Settings\eee\Application Data\Roxio
2008-02-01 01:11 --------- d-----w C:\Program Files\America Online 9.0a
2008-01-25 00:01 --------- d-----w C:\Documents and Settings\eee\Application Data\ICAClient
2008-01-24 23:50 --------- d-----w C:\Program Files\Citrix
2007-12-25 05:13 41,032 ----a-w C:\Documents and Settings\eee\Application Data\GDIPFONTCACHEV1.DAT
2007-02-13 04:35 23,104 ----a-w C:\Documents and Settings\tt\Application Data\GDIPFONTCACHEV1.DAT
2004-09-24 15:45 76,463 ----a-w C:\Documents and Settings\Eug\hotsyncstrobe.zip
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS.1\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS.1\System32\ctfmon.exe" [2003-12-16 15:25 13824]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2003-12-16 22:31 1598464]
"Aim6 "=" " []
"Trackstick Manager.exe "=" " []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent "= "irprops.cpl" [2003-12-16 15:31 441344 C:\WINDOWS.1\system32\irprops.cpl]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 20:44 65536]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2007-02-12 11:05 1121016]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-04-15 12:55 26112]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-04-15 12:55 77824]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 19:45 579072]
"Cmaudio "= "cmicnfg.cpl" []
"SoundMan "= "SOUNDMAN.EXE" [2005-07-22 02:00 81920 C:\WINDOWS.1\SOUNDMAN.EXE]
"HostManager "= "C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe" [2007-04-12 16:23 42032]
"RoxWatchTray "= "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-01-11 13:40 232184]
"DMXLauncher "= "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-01-17 05:23 109304]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 04:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 21:06 219136]

C:\Documents and Settings\eee\Start Menu\Programs\Startup\
Reboot.exe [2004-10-01 01:01:50 334336]

C:\Documents and Settings\All Users.WINDOWS.1\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 04:19:50 217193]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [2007-04-15 12:54:36 36953]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

R1 DLARTL_M;DLARTL_M;C:\WINDOWS.1\System32\Drivers\DLARTL_M.SYS [2007-02-08 22:05]
S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS.1\System32\Drivers\ICDUSB2.sys [2002-11-28 23:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch
xmlprov REG_MULTI_SZ xmlprov

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 22:41:41
Windows 5.1.2600 Service Pack 2, v.2055 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS.1\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS.1\System32\rundll32.exe
C:\WINDOWS.1\System32\wdfmgr.exe
C:\WINDOWS.1\wanmpsvc.exe
C:\WINDOWS.1\System32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-03-01 22:44:53 - machine was rebooted [eee]
ComboFix-quarantined-files.txt 2008-03-02 03:44:50
ComboFix2.txt 2008-03-02 02:29:12

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:50 PM, on 03/01/08
Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\wanmpsvc.exe
C:\WINDOWS.1\System32\MsPMSPSv.exe
C:\WINDOWS.1\System32\wuauclt.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\explorer.exe
C:\WINDOWS.1\system32\notepad.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.1\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Reboot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.1\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.1\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.1\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS.1\System32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS.1\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS.1\wanmpsvc.exe

--
End of file - 7842 bytes

noahdfear · 2008/03/01

Looks good, but I want to check a system file. Please go to jotti and upload C:\WINDOWS.1\system32\svchost.exe for analysis. Copy the results and post them here please.

We also need to have a look at a registry key. Please copy the bolded text below, then click Start>Run and right click>paste the command, then hit enter.

regedit /e "%userprofile%\desktop\svchost.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost "

This will create svchost.txt on the desktop. Open the text file and copy it's contents, then paste it into a reply here.

alex23 · 2008/03/01

Hi,
First time I run and it hangup for >10 min at Fortinet check.

Scanner results
Scan taken on 02 Mar 2008 04:35:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Scanning, please wait...
Ikarus Scanning, please wait...
Kaspersky Anti-Virus Scanning, please wait...
NOD32 Scanning, please wait...
Norman Virus Control Scanning, please wait...
Panda Antivirus Scanning, please wait...
Rising Antivirus Scanning, please wait...
Sophos Antivirus Scanning, please wait...
VirusBuster Scanning, please wait...
VBA32 Scanning, please wait...

Second time was better:

Scanner results
Scan taken on 02 Mar 2008 04:48:41 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing

Results of svchost.txt file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"HTTPFilter "=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
00,00,00,00,00
"LocalService "=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService "=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
00,00
"netsvcs "=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,54,00,65,00,72,00,6d,\
00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,77,00,75,00,61,00,75,00,\
73,00,65,00,72,00,76,00,00,00,42,00,49,00,54,00,53,00,00,00,53,00,68,00,65,\
00,6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,\
6e,00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,00,75,00,70,00,6c,\
00,6f,00,61,00,64,00,6d,00,67,00,72,00,00,00,57,00,6d,00,64,00,6d,00,50,00,\
6d,00,53,00,4e,00,00,00,00,00
"DcomLaunch "=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
00,00,00,00,00
"rpcss "=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"xmlprov "=hex(7):78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,00,00
"imgsvc "=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs "=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]
"CoInitializeSecurityParam "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]
"CoInitializeSecurityParam "=dword:00000001
"AuthenticationCapabilities "=dword:00002000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
"CoInitializeSecurityParam "=dword:00000001
"AuthenticationCapabilities "=dword:00003020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]
"CoInitializeSecurityParam "=dword:00000002
"AuthenticationCapabilities "=dword:00000040

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]
"CoInitializeSecurityParam "=dword:00000001
"DefaultRpcStackSize "=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\xmlprov]
"AuthenticationCapabilities "=dword:00003020
"CoInitializeSecurityParam "=dword:00000001

Thanks for your continuing support.
Alex

noahdfear · 2008/03/01

Looks fine. Lets get an online scan now. Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

alex23 · 2008/03/02

I finished Kaprinsky scan and new HiJack scan.
It looks like I still have some viruses and when I open IE it is not acting normaly: it has double heading at start waits and then opens normaly,
Thanks a lot for your time looking at my problem.
Alex

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
03/02/2008 2:38:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2055 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/03/2008
Kaspersky Anti-Virus database records: 593624
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 223645
Number of viruses found: 14
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 02:47:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\94f6c0fc929c14778a9744a7e8af2774_b8b33864-433f-4b27-a7e9-11a78a981374 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\eee\Application Data\Sun\Java\Deployment\cache\6.0\52\7e615cf4-3074590d/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\eee\Application Data\Sun\Java\Deployment\cache\6.0\52\7e615cf4-3074590d/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\eee\Application Data\Sun\Java\Deployment\cache\6.0\52\7e615cf4-3074590d/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\eee\Application Data\Sun\Java\Deployment\cache\6.0\52\7e615cf4-3074590d ZIP: infected - 3 skipped
C:\Documents and Settings\eee\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\eee\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\eee\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\eee\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\eee\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\eee\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\eee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\eee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\eee\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\eee\Local Settings\Temp\~DFEA89.tmp Object is locked skipped
C:\Documents and Settings\eee\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\eee\ntuser.dat Object is locked skipped
C:\Documents and Settings\eee\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\eee\Start Menu\Programs\Startup\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.e skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\241.tmp.vir Infected: Trojan-Spy.Win32.Agent.bjh skipped
C:\QooBox\Quarantine\C\WINDOWS.1\system32\CcEvtSvc.exe.vir Infected: Trojan-Spy.Win32.Agent.bjh skipped
C:\WINDOWS.1\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS.1\SchedLgU.Txt Object is locked skipped
C:\WINDOWS.1\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS.1\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS.1\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS.1\SoftwareDistribution\EventCache\{773D4824-A25E-4082-BC29-DD2C8E5518D7}.bin Object is locked skipped
C:\WINDOWS.1\SoftwareDistribution\EventCache\{9946414D-BE31-474F-A6EF-1E6F9B5B589A}.bin Object is locked skipped
C:\WINDOWS.1\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS.1\SoftwareDistribution\trace.log Object is locked skipped
C:\WINDOWS.1\Sti_Trace.log Object is locked skipped
C:\WINDOWS.1\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS.1\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS.1\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS.1\system32\config\default Object is locked skipped
C:\WINDOWS.1\system32\config\default.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\SAM Object is locked skipped
C:\WINDOWS.1\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS.1\system32\config\SECURITY Object is locked skipped
C:\WINDOWS.1\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\software Object is locked skipped
C:\WINDOWS.1\system32\config\software.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS.1\system32\config\system Object is locked skipped
C:\WINDOWS.1\system32\config\system.LOG Object is locked skipped
C:\WINDOWS.1\system32\h323log.txt Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS.1\wiadebug.log Object is locked skipped
C:\WINDOWS.1\wiaservc.log Object is locked skipped
E:\Documents and Settings\All Users.WINDOWS.0\Application Data\Microsoft\Crypto\RSA\MachineKeys\bc1e3d22edfaf149f044392a6795a080_388cbd74-4a20-4b5f-aeaf-0d83186ece1d Object is locked skipped
E:\Documents and Settings\All Users.WINDOWS.0\Application Data\Microsoft\Crypto\RSA\MachineKeys\bdded9a1123eecfb752a591f085f6c76_388cbd74-4a20-4b5f-aeaf-0d83186ece1d Object is locked skipped
E:\Documents and Settings\All Users.WINDOWS.0\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
E:\Documents and Settings\All UsersOLDnotUsed\Application Data\Microsoft\Crypto\RSA\MachineKeys\2e0a0646588451b1ad46dae9fc02b484_e690c9dc-2315-4dbd-94f1-567be182cd0b Object is locked skipped
E:\Documents and Settings\All UsersOLDnotUsed\Application Data\Microsoft\Crypto\RSA\MachineKeys\8289520b5c1eb4d185d1e48dbfe190dc_e690c9dc-2315-4dbd-94f1-567be182cd0b Object is locked skipped
E:\Documents and Settings\All UsersOLDnotUsed\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
E:\Documents and Settings\gg\Local Settings\Temp\Del248.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.x skipped
E:\Program Files\Norton AntiVirus\Quarantine\0FF84677 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
E:\Program Files\Norton AntiVirus\Quarantine\216B1BE9 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
E:\Program Files\Norton AntiVirus\Quarantine\217F466A.class Infected: Trojan.Java.ClassLoader.h skipped
E:\Program Files\Norton AntiVirus\Quarantine\2C995E26 Infected: not-a-virus:AdWare.Win32.Altnet.i skipped
E:\Program Files\Norton AntiVirus\Quarantine\413E0B2F.class Infected: Trojan.Java.ClassLoader.h skipped
E:\Program Files\Norton AntiVirus\Quarantine\46063A8B.class Infected: Trojan.Java.ClassLoader.d skipped
E:\Program Files\Norton AntiVirus\Quarantine\4A2F6877 Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
E:\Program Files\Norton AntiVirus\Quarantine\4AB97ECA.htm Infected: Exploit.HTML.Mht skipped
E:\Program Files\Norton AntiVirus\Quarantine\746C7EF4.class Infected: Trojan.Java.ClassLoader.d skipped
E:\Program Files\Norton AntiVirus\Quarantine\79200C92 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
E:\WINDOWS\Temp\Altnet\dmfiles.cab/AltnetUninstall.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
E:\WINDOWS\Temp\Altnet\dmfiles.cab CAB: infected - 1 skipped
E:\WINDOWS\Temp\Altnet\mysearch.cab/mySetp.exe Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
E:\WINDOWS\Temp\Altnet\mysearch.cab CAB: infected - 1 skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:43:27 PM, on 03/02/08
Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\brsvc01a.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\System32\brss01a.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\wanmpsvc.exe
C:\WINDOWS.1\System32\MsPMSPSv.exe
C:\WINDOWS.1\System32\wuauclt.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS.1\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.1\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187018570\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Reboot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.1\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.1\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.1\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS.1\System32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS.1\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS.1\wanmpsvc.exe

--
End of file - 8116 bytes

noahdfear · 2008/03/03

Hi Alex,

Lets do a bit of cleanup now. Delete the following.

C:\Documents and Settings\eee\Desktop\SmitfraudFix.exe
C:\Documents and Settings\eee\Desktop\SmitfraudFix <<folder
C:\Documents and Settings\eee\Start Menu\Programs\Startup\Reboot.exe

Open the Norton Antivirus control panel and remove all quarantined items.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

Let me know if any issues persist.

alex23 · 2008/03/03

Hi Noahdfear,

Thanks for response. I only wanted to clarify one thing, I have AVG and it quaranting some files. Do you want me to wipe them off?
I do not have Norton.

These are the files in AVG log.

Trojan horse Generic9.BEAP C:\WINDOWS.1\system32\svchost.exe:ext.exe 02/27/08 0:14 svchost.exe:ext.exe 27.5 KB
Trojan horse BackDoor.Agent.IZP C:\WINDOWS.1\system32\DefLib.sys 02/27/08 0:14 DefLib.sys 7.74 KB
Trojan horse BackDoor.Agent.IZP C:\WINDOWS.1\system32\DefLib.sys 02/26/08 20:33 DefLib.sys 7.74 KB
Virus found PSW.Generic C:\WINDOWS.1\system32\camocxi.1 12/12/07 21:43 camocxi.1 86.5 KB
Virus identified Packed.Morphine.c C:\WINDOWS.1\system32\0437l7edsms6.exe 02/26/08 20:43 0437l7edsms6.exe 16 KB
Trojan horse Generic9.BERX C:\WINDOWS.1\Installer\{5f159d74-f397-410e-8ded-152607d8244c}\DrvRom.dll 02/27/08 0:14 DrvRom.dll 17.54 KB
Trojan horse Downloader.Zlob.AAX C:\WINDOWS.1\bxlrvps.dll 02/26/08 20:59 bxlrvps.dll 272 KB
Trojan horse Agent.3.I C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\RABU0EKG\8020zh[1].exe 02/27/08 0:14 8020zh[1].exe 88.5 KB
Trojan horse Generic9.BEAP C:\Documents and Settings\eee\Local Settings\Temporary Internet Files\Content.IE5\KLUFSXIJ\dd[1].exe 02/27/08 0:14 dd[1].exe 27.5 KB
Trojan horse SHeur.AVGR C:\Documents and Settings\eee\Local Settings\Temporary Internet Files\Content.IE5\KLUFSXIJ\201[1].exe 02/27/08 0:14 201[1].exe 38.5 KB
Trojan horse Downloader.Zlob.UTP C:\Documents and Settings\eee\Local Settings\Temporary Internet Files\Content.IE5\KLUFSXIJ\1[4].exe 02/27/08 0:14 1[4].exe 84 KB
Trojan horse Downloader.Agent.ABVA C:\Documents and Settings\eee\Local Settings\Temporary Internet Files\Content.IE5\KLUFSXIJ\1[2].exe 02/27/08 0:14 1[2].exe 14 KB
Trojan horse Small.2.BC C:\Documents and Settings\eee\Local Settings\Temporary Internet Files\Content.IE5\7TSLVPB4\loadadv464[1].exe 02/10/08 15:13 loadadv464[1].exe 8 KB
Trojan horse Generic_c.EQ C:\Documents and Settings\eee\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\movie[1].qtl 02/10/08 15:13 movie[1].qtl 10.74 KB
Trojan horse Agent.OQY C:\Documents and Settings\eee\Local Settings\Temp\~~install.dll 02/27/08 0:14 ~~install.dll 14 KB
Trojan horse Small.2.BC C:\Documents and Settings\eee\Desktop\syswdgk.exe 02/08/08 8:16 syswdgk.exe 8 KB
Virus identified Java/ByteVerify C:\Documents and Settings\eee\Application Data\Sun\Java\Deployment\cache\6.0\54\5b3b23b6-4079b012 02/10/08 15:13 5b3b23b6-4079b012 29.3 KB
Virus identified Java/ByteVerify C:\Documents and Settings\eee\Application Data\Sun\Java\Deployment\cache\6.0\35\663965a3-14bcb5f0 02/10/08 15:13 663965a3-14bcb5f0 15.19 KB
Virus found SpySheriff C:\Documents and Settings\eee\Application Data\~tmp.html 02/26/08 20:36 ~tmp.html 3.32 KB
Trojan horse SHeur.AVGR C:\DOCUME~1\eee\LOCALS~1\Temp\winlogon.exe 02/26/08 20:42 winlogon.exe 38.5 KB
Trojan horse Downloader.Banload.LZK C:\DOCUME~1\eee\LOCALS~1\Temp\4531.exe 02/26/08 20:33 4531.exe 73 KB
Trojan horse Downloader.Generic6.AATL C:\autobnkl.exe 12/25/07 13:36 autobnkl.exe 6.5 KB

noahdfear · 2008/03/03

Hi Alex,

Yes, remove all quarantined items.

I see now what I failed to notice previously. There is (or was) what appears to be another operating system on the E: drive, and that's where the quarantined Norton items are. You will likely need to remove those manually from the Quarantine folder. There is also a Temp folder on that drive that will need to be emptied manually.

E:\Program Files\Norton AntiVirus\Quarantine
E:\WINDOWS\Temp

Empty the recycle bin again when done.

Log in or Sign up

Smitfraud_C, IE redirect, SecurityCenter pop-up

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Smitfraud_C, IE redirect, SecurityCenter pop-up

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

alex23 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches