BleepingComputer.com: Trojan-spy.win32@mx Message And Ad Popups

In the task tray two icons are animated. One is an icon that alernates to and from a (?) and (/). The other is a yellow triangle with an exclamation point. A message pops up describing that the Trojan-Spy.Win32@mx was found. The other message is inside a red rectangle describing a virus alert. When clicking on the IE icon, shdocld.dll\navcncl.htm appears in the address bar, then a web-page alerting that a virus was found suggests that a program should be downloaded to resolve the issue.

Advertisements constantly pop up once I try to launch IE and once in a while, a popup would occur if doing nothing.

I have read other threads on this forum about this issue, but I was not sure of the solution. I have run Adaware SE Personal, SpyBot and Norton, all updated and such.

Any help would be greatly appreciated.

Here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 4:52:20 PM, on 9/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Adaptec\SMBE\afaagent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Adaptec\SMBE\iomgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adaptec\SMBE\arcpd.exe
C:\Program Files\Adaptec\SMBE\notify.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ishost.exe
C:\WINNT\system32\issearch.exe
C:\WINNT\system32\isnotify.exe
C:\WINNT\system32\ismini.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\oofq\oofqm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\COMMON~1\oofq\oofqa.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINNT\System32\mnmsrvc.exe
C:\WINNT\system32\wisptis.exe
C:\Utils\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [oofq] C:\PROGRA~1\COMMON~1\oofq\oofqm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\WINNT\System32\shdocvw.dll (HKCU)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\lv8q09l5e.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINNT\system32\urroxtl.dll
O23 - Service: Adaptec RAID Remote Services Agent (AAC_AGENT) - Adaptec, Inc. - C:\Program Files\Adaptec\SMBE\afaagent.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Adaptec Web Server (ARCPD) - Unknown owner - C:\Program Files\Adaptec\SMBE\arcpd.exe
O23 - Service: Adaptec Storage Manager Notifier (ASMBENotify) - Unknown owner - C:\Program Files\Adaptec\SMBE\notify.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adaptec I/O Manager Server (IOManager) - Unknown owner - C:\Program Files\Adaptec\SMBE\iomgr.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

° Download AboutBuster.
Unzip AboutBuster.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Don't run it yet.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

* Start Aboutbuster and let it scan.
The log will be saved in the aboutbuster-folder
If you get any error using aboutbuster, it's important you let me know afterwards in your next reply.
So skip this step in case of error and proceed with the next step of this fix.

Reboot back to safe mode now.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1, and press Enter.
A text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Also post the Smitfraudfix log.

David

David,

This is the first time I posted anything on this forum. I appreciate your effort.

The instructions you supplied me seemed to have worked. Before I continue on, let me explain what I did prior to following your suggestions.

My boss was able to find a work around for the IE behaviors. Disabling the "Enable Third-Party Browser Extensions" in the Advanced tab of Internet Options got rid of the virus utility ads. However, uncertain of any side affects this would cause, I decided to follow your instructions.

AboutBuster
Nothing found, so I won't post any logs.

SmitfraudFix
Files were detected. The full log is at the bottom.

Combofix
Fixed the infected files found via SmitfraudFix. Again, full log below.

Both icons in the task tray were gone before running AboutBuster, SmitfraudFix, and Combofix, however, the Trojan-Win32@mx popup happened once in a while and when starting Adobe Acrobat, pop ups started to happen. Again, this is before running the programs above. During this whole time the "Enable Third Party Browser Extensions" was disabled, but after running the fixes you suggested and a reboot, the popups went away. The real test was when I re-enabled the "Enable Third Party Browser Extensions" and restarted. Upon a reboot, everything looked good.

If you don't mind, could you please take a look at the Hijackthis.log anyway to be sure there are no more traces. Hope you don't mind my dividers. Thought they would help.

Thanks again, David.

(Hijackthis Log Posted Below)
====================HIJACKTHIS START=====================================
Logfile of HijackThis v1.99.1
Scan saved at 8:47:17 AM, on 9/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Adaptec\SMBE\afaagent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Adaptec\SMBE\iomgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adaptec\SMBE\arcpd.exe
C:\Program Files\Adaptec\SMBE\notify.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cscript.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\oofq\oofqm.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\oofq\oofqa.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\locator.exe
C:\Novell\GroupWise\Grpwise.exe
C:\Utils\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.98.19.201/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [oofq] C:\PROGRA~1\COMMON~1\oofq\oofqm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\WINNT\System32\shdocvw.dll (HKCU)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINNT\system32\urroxtl.dll (file missing)
O23 - Service: Adaptec RAID Remote Services Agent (AAC_AGENT) - Adaptec, Inc. - C:\Program Files\Adaptec\SMBE\afaagent.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Adaptec Web Server (ARCPD) - Unknown owner - C:\Program Files\Adaptec\SMBE\arcpd.exe
O23 - Service: Adaptec Storage Manager Notifier (ASMBENotify) - Unknown owner - C:\Program Files\Adaptec\SMBE\notify.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adaptec I/O Manager Server (IOManager) - Unknown owner - C:\Program Files\Adaptec\SMBE\iomgr.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
=====================HIJACKTHIS DONE====================================

===================SmitFraudFix Start=======================================
SmitFraudFix v2.98

Scan done at 8:33:49.67, Fri 09/22/2006
Run from C:\Utils\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\ismini.exe FOUND !
C:\WINNT\system32\isnotify.exe FOUND !
C:\WINNT\system32\issearch.exe FOUND !
C:\WINNT\system32\ixt?.dll FOUND !
C:\WINNT\system32\ixt??.dll FOUND !
C:\WINNT\system32\ot.ico FOUND !
C:\WINNT\system32\ts.ico FOUND !
C:\WINNT\system32\components\flx?.dll FOUND !
C:\WINNT\system32\components\flx??.dll FOUND !
C:\WINNT\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Safety Bar\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINNT\\system32\\sqlo.dll"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
========================SmitFraudFix END================================

========================ComboFix START================================
Administrator - Fri 09/22/2006 8:35:36.26 Service Pack 4
ComboFix 06.09.23 - Running from: "C:\Utils"
Command switches used ::

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{C937E5E7-B3E0-4EAA-840F-81B675B2B6BD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C937E5E7-B3E0-4EAA-840F-81B675B2B6BD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C937E5E7-B3E0-4EAA-840F-81B675B2B6BD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C937E5E7-B3E0-4EAA-840F-81B675B2B6BD}\InprocServer32]
"ThreadingModel"="Apartment"
@="C:\\WINNT\\system32\\guard.tmp"

[HKEY_CLASSES_ROOT\CLSID\{0EFB25D4-A4AF-4897-8DC6-F7AC7D951A6A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0EFB25D4-A4AF-4897-8DC6-F7AC7D951A6A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0EFB25D4-A4AF-4897-8DC6-F7AC7D951A6A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0EFB25D4-A4AF-4897-8DC6-F7AC7D951A6A}\InprocServer32]
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{1294975B-69B5-4093-9E76-70BFE168BEB5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1294975B-69B5-4093-9E76-70BFE168BEB5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1294975B-69B5-4093-9E76-70BFE168BEB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1294975B-69B5-4093-9E76-70BFE168BEB5}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\ismini.exe
C:\WINNT\system32\isnotify.exe
C:\WINNT\system32\issearch.exe
C:\WINNT\system32\tsuninst.exe
C:\WINNT\system32\ixt0.dll
C:\Documents and Settings\Default User\Application Data\NetMon
C:\Program Files\Inetget2
C:\Program Files\Safety Bar
C:\WINNT\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-08-22 to 2006-09-22 ))))))))))))))))))))))))))))))))))


2006-09-21 12:01 173,536 --a------ C:\WINNT\system32\wuweb.dll
2006-09-20 14:45 94,208 --a------ C:\WINNT\system32\uhvjsul.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-21 16:49 -------- d-------- C:\Program Files\Common Files\oofq
2006-09-21 16:12 -------- d-------- C:\Program Files\NetMeeting
2006-09-21 16:05 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-21 15:31 -------- d-------- C:\Program Files\Google
2006-09-21 15:31 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Google
2006-09-21 14:36 -------- d-------- C:\Program Files\Lavasoft
2006-09-21 14:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-09-21 11:55 -------- d-a------ C:\Program Files\Common Files
2006-09-20 17:01 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-09-20 14:52 -------- d-------- C:\Program Files\Symantec
2006-09-15 22:52 91904 --a------ C:\WINNT\system32\S32EVNT1.DLL
2006-09-15 22:52 124016 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2006-09-06 16:14 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2006-08-01 07:32 -------- d-------- C:\Program Files\Norton AntiVirus
2006-07-16 21:20 116776 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe"
"oofq"="C:\\PROGRA~1\\COMMON~1\\oofq\\oofqm.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"NWTRAY"="NWTRAY.EXE"
"GoToMyPC"="C:\\Program Files\\Expertcity\\GoToMyPC\\g2svc.exe -logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c4,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"=""
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"CompatibleRUPSecurity"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\system32\\NVMCTRAY.DLL,NvTaskbarInit"
"ctfmon.exe"="ctfmon.exe"
"Cahh"="C:\\Documents and Settings\\Administrator\\Application Data\\rsth.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"Synchronization Manager"="mobsync.exe /logon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"VVSN"="C:\\Program Files\\VVSN\\VVSN.exe"
"ist service uninstall"="C:\\WINNT\\system32\\services\\coolers.exe /u"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060921-165136-718
O20 - Winlogon Notify: winmyy32 - winmyy32.dll (file missing)

Completion time: Fri 2006-09-22 8:39:52.95
ComboFix.txt
=======================ComboFix END=====================================

Hey there, and you are welcome for the help thus far.

I've seen the logs and we still have quite a bit to do, you still have malware on your system. My plan is to remove the larger infections first with the specific tools that we can use, then rescan afterwards for leftover infected files on your computer.

Let's continue...

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

This reply is late. My apologies. I was surprised to see such a fast response earlier today. Looks like there are other features of the tools that I needed to use. Apparently you saw other clues of malware. Unfortunately, I do not currently have access to the computer. Therefore, I will have to run those programs again on another day.

I am not sure what your protocol is, however, I would like to either keep this topic open, or have it closed and then reopened again, unless you suspect a high threat level.

I will let you decide. It is the availibility of the computer in question.

Again, thanks for helping out.

I will make a note to keep this thread open a while longer, don't worry.
If I does end up being closed you may PM me, and I will open it for you.