Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having Problems Removing Nasty Malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 Peter79

Peter79

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 01 December 2007 - 07:21 PM

Hello

My PC has become infected with some nasty malware. The symptoms are exactly the same as described by a post in October: http://www.bleepingcomputer.com/forums/ind...ct.com&st=0

"This malware continuously pops up a fake Windows Security Alert that says: "Windows has detected an Internet attack attempt...Somebody's trying to infect your PC with spyware or harmful viruses. run full system scan now to protect your PC from Internet attacks, hijacking attempts, and spyware! Click here to download spyware remover for total protection."

The virus adds three shortcut windows to my desktop which reappear the instant I reboot. They are labeled Error Cleaner, Privacy Protector, and Spyware &...Protection. All three are shortcuts to http://viruswebprotect.com/shandler.php

The last symptom so far is that the virus will cause the task explorer.exe to take up 100% of my CPU Usage. In order to work, I terminate explorer.exe and do everything from the Task Manager."

I have done almost everything as recommended in the "Preparation Guide for use before posting a HijackThis Log"

Please note that I posted a message about 5 days ago, but didn't get any replies, so I am restarting the process.

Thanks




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:43 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iriver\HSeries\iHPDetect.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect - OzEmail\iPCAgent.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\iPass\iPassConnect - OzEmail\downloader\ipccheck.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSVPS System - {6A78E352-B1FA-4C18-9C48-96DD03979770} -

C:\WINDOWS\popnetmtq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: The jokwmp - {6BA27973-068D-4F85-BE84-1251E0B20FD3} -

C:\WINDOWS\jokwmp.dll (file missing)
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows

Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming

Utility\SmoothView.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iriver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0

\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1

\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'Default user')
O4 - Startup: Pika Backup.lnk = C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google

Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80

\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar

Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar

Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32

\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2

\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar

Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?933c32e21664f3083e89a1a88c0e072
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar

Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?933c32e21664f3083e89a1a88c0e072
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} -

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-

A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D83D116-1D0A-4BD6-A601-2F16636ADE00}:

NameServer = 203.0.178.191
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O21 - SSODL: rmvgor - {8009845C-68E6-4D75-B1A0-D92813BF1D4A} -

C:\WINDOWS\rmvgor.dll
O21 - SSODL: sapnet - {CF78F49B-D776-4446-94AD-CAAC8F456597} - C:\WINDOWS\sapnet.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad

-Aware 2007\aawservice.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1

\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program

Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. -

C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ERMLicSrv_ATL64 - Unknown owner - C:\WINDOWS\system32\ERM\6.4

\ERMLicSrv_ATL64.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect -

OzEmail\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect -

OzEmail\iPCAgent.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor

Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program

Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program

Files\Sygate\SPF\smc.exe

--
End of file - 11931 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 03 December 2007 - 08:39 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Peter79
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

If you have previously downloaded ComboFix,please delete that version now.

Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could lead to your system becoming unusable.

Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Peter79

Peter79
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 04 December 2007 - 12:08 PM

Hi Richie

Many thanks for your reply. Can I tell you that since posting the request for help, I ran Smitfraudfix a couple of times in safe mode, and beefed up my security big time. The first attempts with Smitfraudfix seemed to work, but the malware came back. The third attempt seemed to do the trick, but I still have a nervous suspicion that it is lurking in my system somewhere. So your help to either get rid of it permanently - or else reassure me I am worrying unnecessarily -would still be much appreciated

Here is the Combofix.exe log. Note that I did have some trouble running it with all the security systems I now have. But after I disabled everything, it did seem to work OK


ComboFix 07-12-02.7 - PDurr 2007-12-04 23:17:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT 11:00]
Running from: C:\Documents and Settings\PDurr\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-02 15:15 . 2007-12-02 15:32 <DIR> d-------- C:\Documents and Settings\PDurr\Application Data\Prevx
2007-12-02 15:12 . 2007-12-04 22:21 <DIR> d-------- C:\Program Files\Prevx2
2007-12-02 14:15 . 2007-12-02 15:27 <DIR> d-------- C:\Program Files\PrevxCSI
2007-12-02 13:48 . 2007-12-02 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-02 12:41 . 2007-12-02 14:16 <DIR> d-------- C:\Documents and Settings\PDurr\Application Data\PrevxCSI
2007-12-01 21:17 . 2007-12-03 06:02 <DIR> d-------- C:\Documents and Settings\PDurr\dwhelper
2007-12-01 13:32 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-01 13:32 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-01 13:32 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-01 13:32 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-01 13:32 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-01 13:32 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-01 13:32 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-01 13:31 . 2007-12-01 13:31 <DIR> d-------- C:\Program Files\Sygate
2007-11-30 22:46 . 2007-12-01 06:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 04:00 . 2007-11-26 04:00 <DIR> d-------- C:\Program Files\FreeFixer
2007-11-25 19:31 . 2007-11-25 23:00 <DIR> d-------- C:\Documents and Settings\PDurr\SmitfraudFix
2007-11-25 18:59 . 2007-12-02 12:13 4,222 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-23 19:08 . 2007-12-01 19:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-21 20:39 . 2007-11-22 19:50 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-21 20:39 . 2007-11-22 19:50 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-21 20:35 . 2007-11-21 20:35 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-21 20:35 . 2007-12-04 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 20:34 . 2007-12-04 23:25 8,187,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-21 20:34 . 2007-12-04 22:17 1,012,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-21 20:34 . 2007-12-04 22:17 110,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-21 20:34 . 2007-12-04 22:17 95,972 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-21 20:17 . 2007-11-21 20:17 <DIR> d-------- C:\Program Files\Kapersky
2007-11-21 20:14 . 2007-11-21 20:15 <DIR> d-------- C:\Program Files\Kaspersky
2007-11-18 19:00 . 2007-11-18 03:32 115,200 --a------ C:\WINDOWS\nethop.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 09:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-03 09:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 08:51 --------- d-----w C:\Program Files\Lavasoft
2007-12-02 07:10 --------- d-----w C:\Documents and Settings\PDurr\Application Data\BitTorrent
2007-11-21 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-17 10:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 10:13 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-10-31 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-26 12:50 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-26 09:04 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-26 08:56 --------- d-----w C:\Program Files\Microsoft Device Emulator
2007-10-26 08:21 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-26 08:20 --------- d-----w C:\Program Files\MSBuild
2007-10-26 08:17 --------- d-----w C:\Program Files\Common Files\Merge Modules
2007-10-26 08:05 --------- d-----w C:\Program Files\Common Files\Business Objects
2007-10-26 08:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2007-10-26 08:00 --------- d-----w C:\Program Files\CE Remote Tools
2007-10-21 07:21 --------- d-----w C:\Program Files\Picasa2
2007-10-14 13:02 --------- d-----w C:\Program Files\Apple Software Update
2007-10-08 09:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 09:10 --------- d-----w C:\Program Files\Nodtronics
2007-10-07 13:27 --------- d-----w C:\Program Files\QuickTime
2007-10-07 09:23 --------- d-----w C:\Documents and Settings\PDurr\Application Data\albumart
.

((((((((((((((((((((((((((((( snapshot@2007-12-04_21.54.35.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-01 02:39:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-04 11:20:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-01 02:39:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-04 11:20:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-01 02:39:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-04 11:20:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-04 10:28:13 223,873 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-04 11:21:32 223,877 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-02 20:51]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Toshiba Hotkey Utility"="C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2005-08-02 08:25]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-09 08:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-09 08:43]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 20:31]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-09 05:03]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 20:56]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-09 05:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-09 04:59]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 15:33]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-02 21:45]
"iHP-100"="C:\Program Files\iriver\HSeries\iHPDetect.exe" [2004-05-11 02:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 09:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 09:45]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 12:15]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-21 23:45]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 07:24]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" []
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [2007-10-09 14:53]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 14:45]

C:\Documents and Settings\PDurr\Start Menu\Programs\Startup\
Pika Backup.lnk - C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe [2006-01-28 09:38:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-23 08:05:30]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-10-01 21:37:29]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-02-09 22:30:43]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-10-07 16:28:50]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-05-06 19:59:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect - OzEmail\iPCAgent.exe
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys
S2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
S3 ERMLicSrv_ATL64;ERMLicSrv_ATL64;C:\WINDOWS\system32\ERM\6.4\ERMLicSrv_ATL64.exe
S3 MSSQL$MSQLSERVER;MSSQL$MSQLSERVER;C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sMSQLSERVER
S3 SQLAgent$MSQLSERVER;SQLAgent$MSQLSERVER;C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i MSQLSERVER
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 11:09:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-01-23 10:10:09 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 23:27:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-04 23:28:59
C:\ComboFix2.txt ... 2007-12-04 21:57
.
--- E O F ---



And here is the HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:29 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect - OzEmail\iPCAgent.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iriver\HSeries\iHPDetect.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\iPass\iPassConnect - OzEmail\downloader\ipccheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iriver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pika Backup.lnk = C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ERMLicSrv_ATL64 - Unknown owner - C:\WINDOWS\system32\ERM\6.4\ERMLicSrv_ATL64.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect - OzEmail\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect - OzEmail\iPCAgent.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 10255 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 04 December 2007 - 04:50 PM

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\WINDOWS\nethop.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 Peter79

Peter79
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 06 December 2007 - 05:35 AM

Hi Richie

I have now done all that you suggested.

1. Spybot S&D was disabled. I am glad you showed me how to disable the Teatimer. I had it on my list of things to do, but hadn't been able to work out to do it.

2. Here are the results of the OTMoveIt program run:

C:\WINDOWS\nethop.exe moved successfully.
Created on 12/05/2007 20:07:23

3. Java Runtime has been updated to 6.3, and all the previous verison have been removed. Thanks for this - I didn't realise that these were not deleted when I updated - I had almost of 0.7G of old previous versions on my hard drive.

4. Here is the SuperAntiSpyware log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/06/2007 at 08:46 PM

Application Version : 3.9.1008

Core Rules Database Version : 3355
Trace Rules Database Version: 1354

Scan type : Complete Scan
Total Scan Time : 01:35:06

Memory items scanned : 524
Memory threats detected : 0
Registry items scanned : 15731
Registry threats detected : 1
File items scanned : 53952
File threats detected : 1

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-2977011246-1674277240-2992833227-1006\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Unclassified.SpywareBot (Not A Threat)
C:\TEMP\DOWNLOADS\SPYBOT\SETUP.EXE

5. And here is the Hijack this log file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:59 PM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iriver\HSeries\iHPDetect.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect - OzEmail\iPCAgent.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\iPass\iPassConnect - OzEmail\downloader\ipccheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iriver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pika Backup.lnk = C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D83D116-1D0A-4BD6-A601-2F16636ADE00}: NameServer = 203.0.178.191
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ERMLicSrv_ATL64 - Unknown owner - C:\WINDOWS\system32\ERM\6.4\ERMLicSrv_ATL64.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect - OzEmail\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect - OzEmail\iPCAgent.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 10286 bytes

6. The PC is running OK. The only thing I am worried about is that the Sygate firewall is intermittently detecting that windows Explorer.exe is trying to communcate outwards. As this is the program that went mad with the malware - using 100% of memory - I am concered I still have the trojan lurking somewhere on my hard-drive.

Thanks for your help with this - I really appreciate it.

Peter


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 06 December 2007 - 09:25 AM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Automatic LiveUpdate Scheduler
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
Automatic LiveUpdate Scheduler
Right click on it 'Delete'.
Then reboot.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)


Find and delete if present:
C:\Program Files\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec

The only thing I am worried about is that the Sygate firewall is intermittently detecting that windows Explorer.exe is trying to communcate outwards. As this is the program that went mad with the malware - using 100% of memory - I am concered I still have the trojan lurking somewhere on my hard-drive.

The above 100% cpu could quite possibly being caused by SafeNet Sentinel,try uninstalling/removing it via Start/Control Panel/Add or Remove Programs,then restart your pc.

Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan programs and documents'
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 Peter79

Peter79
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 12 December 2007 - 02:13 PM

Hi Richie

Apologizes for taking so long to reply. I had a lot of problems running F-secure, as I am on dial-up at home and the program kept cutting out after a couple of hours. As well I had to download an update of IE, which took forever. But anyway, everything is now done.

Here is the F-secure logfile:


Scanning Report Wednesday, December 12, 2007 12:56:13 - 20:33:06 Computer name: PETER Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ ------------------------------------------------------------------------ Result: 17 malware found Possibly infected with an unknown virus (virus) * C:\Inetpub\wwwroot\PathMan\Output\TissueCollection.asp * C:\Inetpub\wwwroot\PathMan\Boxworth\BoxSamples.asp * C:\Inetpub\wwwroot\PathMan\AHOSupply\CowDetail.asp * C:\Inetpub\wwwroot\PathMan\AHOSupply\ICBlood.asp * C:\Inetpub\wwwroot\PathMan\AHOSupply\InContactDetail.asp * C:\Inetpub\wwwroot\PathMan\AHOSupply\Sample.asp Tracking Cookie (spyware) * System (Disinfected) * System * System * System * System * System * System * System * System * System * System ------------------------------------------------------------------------ Statistics Scanned: * Files: 681518 * System: 7295 * Not scanned: 90 Actions: * Disinfected: 1 * Renamed: 0 * Deleted: 0 * None: 16 * Submitted: 0 Files not scanned: * x���?IBERFIL.SYS C:\PAGEFILE.SYS * C:\WINDOWS\TEMP\CCH~BDC0373BA.HTP * C:\WINDOWS\TEMP\PERFLIB_PERFDATA_D00.DAT * C:\WINDOWS\TEMP\SPNSERV.DAT * C:\WINDOWS\TEMP\SPSERV.DAT * C:\WINDOWS\SYSTEM32\BIOS1.ROM * C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX.DAT * C:\WINDOWS\SYSTEM32\DLA\TFSMRMSG.ISO * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG * C:\WINDOWS\SYSTEM32\CATROOT2\EDBTMP.LOG * C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB * C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{553FF48B-C3D8-40CE-8D29-D994D3E977F3}.BIN * FILE0025.D0FFFB8D_996E_43B1_8C32_FF42F494CE70 * C:\PROGRAM FILES\SONIC\DLA\INSTALL\TFSMRMSG.ISO * C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MASTER.MDF * C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\TEMPDB.MDF * C:\MY DOCUMENTS_VLA_COMBINED (COPY)\GISVET BOOK\CHAPTER 1 - INTRO GIS\PHILADELPHIA\PHILADELPHIA ROADS.RST * C:\MY DOCUMENTS_VLA_COMBINED (COPY)\GISVET BOOK\BOOK COMPLETE\FINAL VERSION (28_7)\FIGURES\CHPT5 FIGURES\PPT7.TMP * C:\MY DOCUMENTS_VLA_COMBINED (COPY)\GISVET BOOK\BOOK COMPLETE\FINAL VERSION (28_7)\FIGURES\CHPT5 FIGURES\PPT9.TMP * C:\MY DOCUMENTS_VLA_COMBINED (COPY)\GISVET BOOK\BOOK COMPLETE\FINAL VERSION (28_7)\FIGURES\CHPT5 FIGURES\PPTB.TMP * C:\MY DOCUMENTS_VLA_COMBINED (COPY)\GISVET BOOK\BOOK COMPLETE\FINAL VERSION (28_7)\FIGURES\CHPT5 FIGURES\PPTD.TMP * C:\My Documents_VLA_Combined (copy)\Example Datasets\H&L_Survival\pkfixed.zip\recur.dat * C:\INETPUB\WWWROOT\PATHMAN\HISTOPATHOLOGY\HSF.DOT * C:\INETPUB\CATALOG.WCI\CIFLFFFD.001 * C:\INETPUB\CATALOG.WCI\CIFLFFFD.002 * C:\INETPUB\CATALOG.WCI\CISL0001.001 * C:\INETPUB\CATALOG.WCI\CISL0001.002 * bios1.rom * C:\GIS_DATA\GTOPO30\E100S10.SRC * E100S10.SRC * C:\ERMAPPER64\EXAMPLES\SHARED_DATA\AUSTRALIA_DTM * C:\ERMAPPER64\EXAMPLES\SHARED_DATA\NEWCASTLE_MAGNETICS * C:\ERMAPPER64\EXAMPLES\FUNCTIONS_AND_FEATURES\RADAR\JPL_DEATH_VALLEY_IMG_CEOS_IMAGE * C:\ERMAPPER64\EXAMPLES\APPLICATIONS\AIRPHOTO\3_BALANCING\ADAR_DEL_MAR_1 * C:\ERMAPPER64\EXAMPLES\APPLICATIONS\AIRPHOTO\3_BALANCING\ADAR_DEL_MAR_2 * C:\ERMAPPER64\EXAMPLES\APPLICATIONS\AIRPHOTO\3_BALANCING\ADAR_DEL_MAR_3 * C:\DOCUMENTS AND SETTINGS\PDURR\NTUSER.DAT * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\TEMP\BIT276.TMP * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\TEMP\BIT2D5.TMP * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\TEMP\~DF6A9B.TMP * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\TEMP\~DFAE65.TMP * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\DEDF4334FCB9-BACKUP\DBDAM * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\DEDF4334FCB9-BACKUP\DBEAM * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\DEDF4334FCB9\DBC2E.HT1 * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\DEDF4334FCB9\FIIH.HT1 * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\DEDF4334FCB9\HP * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\DEDF4334FCB9\RPM.CF1 * C:\DOCUMENTS AND SETTINGS\PDURR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\DEDF4334FCB9\SAFEWEB\GOOG-BLACK-ENCHASHM.CF1 * C:\Documents and Settings\PDurr\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 12-12-2007 - 08-52-53.SBU\{08F779EE-AAD7-48C1-8A35-90C7F1380144} * C:\DOCUMENTS AND SETTINGS\PDURR\APPLICATION2��� * C:\HIBERFIL.SYS * C:\PAGEFILE.SYS * C:\WINDOWS\TEMP\CCH~BDC0373BA.HTP * C:\WINDOWS\TEMP\PERFLIB_PERFDATA_D00.DAT * C:\WINDOWS\TEMP\SPNSERV.DAT * C:\WINDOWS\TEMP\SPSERV.DAT * C:\WINDOWS\SYSTEM32\BIOS1.ROM * C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX.DAT * C:\WINDOWS\SYSTEM32\DLA\TFSMRMSG.ISO * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\� ------------------------------------------------------------------------ Options Scanning engines: * F-Secure AVP: 7.0.171, 2007-12-11 * F-Secure Blacklight: 1.0.64 * F-Secure Draco: 1.0.35, 0598-150-72 * F-Secure Libra: 2.4.2, 2007-11-28 * F-Secure Orion: 1.2.37, 2007-12-12 * F-Secure Pegasus: 1.19.0, 2007-11-03 Scanning options: * Scan all files * Scan inside archives * Use Advanced heuristics ------------------------------------------------------------------------

And here is the HijackThis logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:20 AM, on 13/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iriver\HSeries\iHPDetect.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect - OzEmail\iPCAgent.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Prevx2\PXAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\iPass\iPassConnect - OzEmail\downloader\ipccheck.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iriver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pika Backup.lnk = C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197068331796
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ERMLicSrv_ATL64 - Unknown owner - C:\WINDOWS\system32\ERM\6.4\ERMLicSrv_ATL64.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect - OzEmail\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect - OzEmail\iPCAgent.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 10509 bytes

The PC is running fine, indeed even better than before I became infected. However, explorer.exe is still occasionally trying to communicate out through the firewall, though only once every couple of days. Might this indicate that I still have a trojan lurking somewhere? Though if it is I can probably live with it, as the firewall is keeping it in check.

Thanks again for all your help with this.

Peter


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 12 December 2007 - 02:52 PM

Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#9 Peter79

Peter79
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 13 December 2007 - 06:54 AM

Hi Richie

Mission complete - thanks very much or all your help. You did a very good job. :blink:

Regards

Peter

PS. In appreciation I have done the right thing and made a donation - hope some of it winds your way! :thumbsup:

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 13 December 2007 - 07:09 AM

You're most welcome Peter,and many thanks for the donation,much appreciated :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users