Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud, Among Other Things - Updated Hjt Log


  • Please log in to reply
16 replies to this topic

#1 SilentBob152

SilentBob152

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 May 2007 - 04:31 PM

Hi everyone!

This is my first post to these forums, but I read the preparations bit and did all the steps.

Ran AdAware and restarted after each run until it came up clean (4 restarts)
Ran Spybot
Ran Housecall
Installed Sygate Personal Firewall
Ran Stinger
Have Automatic Updates on for Windows

The firewall seems to be catching TONS of instances of randomly named .exe's all trying to access "b.bestmanage.org".

The symptoms I've been having are numerous: popups (especially when using IE, I switched to Opera until I can get this sorted out), a "clicking" noise about every 10 seconds that sounds like a webpage opening up, but nothing comes up on screen, a SERIOUS slowing of system performance, and this morning I could not launch a single program at all.

I'll include my HijackThis log here. Many many thanks to anyone that might be able to help. Every time I've had problems in the past I've always just reformatted my drive and reinstalled everything, but XP has that crazy rule now where your key only works once or twice, and I have SO MUCH stuff on my machine these days that reinstalling everything would not be any fun at all :thumbsup:

Thanks again, here's my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 5:24:22 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\dlqgedao.dll",realset
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aeir] "C:\WINDOWS\system32\DOBE~1\explorer.exe" -vt yazb
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 28 May 2007 - 05:12 PM

Nice collection of malware you have there :thumbsup:

Rename hijackthis.exe to random.exe

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

#3 SilentBob152

SilentBob152
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 May 2007 - 05:36 PM

Ok, renamed HJT executable and ran the fixer, following are the logs:

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 6:16:35 PM 5/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbdqnkdi.ini
C:\WINDOWS\system32\cbxuvts.dll
C:\WINDOWS\system32\dlqgedao.dll
C:\WINDOWS\system32\efcayyy.dll
C:\WINDOWS\system32\efccaaa.dll
C:\WINDOWS\system32\idknqdbb.dll
C:\WINDOWS\system32\jkkiggg.dll
C:\WINDOWS\system32\kfyyjwla.dll
C:\WINDOWS\system32\kndtihdy.dll
C:\WINDOWS\system32\ljjgded.dll
C:\WINDOWS\system32\mljiife.dll
C:\WINDOWS\system32\oadegqld.ini
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\urqopqr.dll
C:\WINDOWS\system32\vturspq.dll
C:\WINDOWS\system32\wbrjquoo.dll
C:\WINDOWS\system32\wvuvsqp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbdqnkdi.ini
C:\WINDOWS\system32\bbdqnkdi.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxuvts.dll
C:\WINDOWS\system32\cbxuvts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dlqgedao.dll
C:\WINDOWS\system32\dlqgedao.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcayyy.dll
C:\WINDOWS\system32\efcayyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efccaaa.dll
C:\WINDOWS\system32\efccaaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\idknqdbb.dll
C:\WINDOWS\system32\idknqdbb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkiggg.dll
C:\WINDOWS\system32\jkkiggg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\kfyyjwla.dll
C:\WINDOWS\system32\kfyyjwla.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjgded.dll
C:\WINDOWS\system32\ljjgded.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljiife.dll
C:\WINDOWS\system32\mljiife.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oadegqld.ini
C:\WINDOWS\system32\oadegqld.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ssqro.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqopqr.dll
C:\WINDOWS\system32\urqopqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vturspq.dll
C:\WINDOWS\system32\vturspq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wbrjquoo.dll
C:\WINDOWS\system32\wbrjquoo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuvsqp.dll
C:\WINDOWS\system32\wvuvsqp.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkiggg.dll
C:\WINDOWS\system32\jkkiggg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 6:23:55 PM 5/28/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...




HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:31:57 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Hijack This\random.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25F79E4D-FBD9-AC85-AB74-040805A9C156} - C:\WINDOWS\system32\lnkbqod.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\abhngrsw.dll
O2 - BHO: (no name) - {4F53699F-A72C-0C32-04B3-0815AE03CAD5} - C:\WINDOWS\system32\ectjhdc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CF08297-BD15-47A1-9FB8-5695202F98CA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D8A0D70E-DCB9-45DA-BE7E-A6966D5548Bb} - C:\WINDOWS\system32\fygwsyga.dll (file missing)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aeir] "C:\WINDOWS\system32\DOBE~1\explorer.exe" -vt yazb
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\SYSTEM32\winjvd32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanks in advance for the help!

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 28 May 2007 - 05:59 PM

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5 SilentBob152

SilentBob152
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 May 2007 - 06:17 PM

CHECK!

Here are the logs, and thanks so far for your help!


ComboFix Log:

"Administrator" - 2007-05-28 19:05:49 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\abhngrsw.dll
C:\WINDOWS\system32\cchwxgcp.dll
C:\WINDOWS\system32\ticystqr.dll
C:\WINDOWS\system32\winjvd32.dll
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\WINDOWS\system32\wnscpisv32.exe"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\svchost.exe"
"C:\WINDOWS\avp.exe"
"C:\WINDOWS\system32\klikalka.exe"
"C:\Program Files\oin search"
"C:\Program Files\outerinfo"

Purity Folders:

C:\WINDOWS\system32\SCURIT~1
C:\WINDOWS\YSTEM3~1
C:\Program Files\Common Files\YSTEM~1
C:\Program Files\Common Files\MBOLS~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\SCURIT~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\YMANTE~1
C:\DOCUME~1\ADMINI~1\MYDOCU~1\SMANTE~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-28 18:16 <DIR> d-------- C:\VundoFix Backups
2007-05-28 17:18 <DIR> d-------- C:\Hijack This
2007-05-28 12:01 11,776 --a------ C:\WINDOWS\smgr.exe
2007-05-28 11:37 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-05-28 11:37 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-05-28 11:37 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-05-28 11:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-05-28 11:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-05-28 11:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-05-28 11:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-05-28 11:36 <DIR> d-------- C:\Program Files\Sygate
2007-05-28 11:16 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-28 09:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-27 21:34 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-05-27 12:53 <DIR> d-------- C:\WINDOWS\system32\Ódobe
2007-05-24 19:47 <DIR> d-------- C:\Program Files\CCP
2007-05-21 19:58 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-05-20 13:54 <DIR> d-------- C:\CG Cache
2007-05-13 10:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Quark
2007-05-13 10:04 <DIR> d-------- C:\Arquivos de programas
2007-05-12 11:23 <DIR> d-------- C:\Program Files\eMule
2007-05-04 08:55 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-05-03 21:30 <DIR> d-------- C:\Program Files\Opera
2007-05-03 21:30 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera
2007-05-02 13:49 <DIR> d-------- C:\Program Files\QuickTime
2007-05-02 11:12 <DIR> d-------- C:\WINDOWS\kriu
2007-05-02 11:12 <DIR> d-------- C:\Program Files\Common Files\kriu
2007-05-02 10:52 <DIR> d--hs---- C:\WINDOWS\UGF1bCBIYXJyaXM
2007-04-30 17:50 86,528 --a------ C:\WINDOWS\system32\jzhfbag.dll
2007-04-30 17:50 64,000 --a------ C:\WINDOWS\system32\lnkbqod.dll
2007-04-30 15:58 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-30 15:58 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-30 15:58 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-30 15:52 3,706 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-30 14:16 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-04-30 12:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-30 12:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-30 12:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-30 12:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-29 22:05 86,528 --a------ C:\WINDOWS\system32\jpyuyzd.dll
2007-04-29 22:05 63,488 --a------ C:\WINDOWS\system32\ectjhdc.dll
2007-04-29 21:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Roxio
2007-04-29 19:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech
2007-04-29 18:32 <DIR> d-------- C:\Program Files\WinAce


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-28 23:00:25 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG
2007-05-28 22:23:46 -------- d-----w C:\Program Files\lg_fwupdate
2007-05-28 21:23:06 -------- d-----w C:\Program Files\BitComet
2007-05-28 21:14:14 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-10 15:40:52 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-01 13:17:34 4,097 ----a-w C:\WINDOWS\mozver.dat
2007-05-01 12:47:32 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-30 13:46:07 -------- d-----w C:\Program Files\Microsoft Games
2007-04-27 00:07:17 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
2007-04-22 21:08:41 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-04-18 21:28:38 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-18 21:26:31 -------- d-----w C:\Program Files\Google
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-15 20:47:21 -------- d-----w C:\Program Files\Hewlett-Packard
2007-04-15 20:46:30 -------- d-----w C:\Program Files\HP
2007-04-11 21:56:55 -------- d-----w C:\Program Files\Data Caching
2007-04-11 21:56:49 -------- d-----w C:\Program Files\SanDisk
2007-04-09 01:48:28 -------- d-----w C:\Program Files\Vstep
2007-04-01 15:44:43 -------- d-----w C:\Program Files\Auran
2007-03-18 23:26:53 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-03-18 23:26:53 2,272 ----a-w C:\WINDOWS\system32\w95inf16.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\UGF1bCBIYXJyaXM\o3IYvF1KsrLVurg.vbs


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 17:39]
{25F79E4D-FBD9-AC85-AB74-040805A9C156}=C:\WINDOWS\system32\lnkbqod.dll [2007-04-30 17:50]
{4F53699F-A72C-0C32-04B3-0815AE03CAD5}=C:\WINDOWS\system32\ectjhdc.dll [2007-04-29 22:05]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CF08297-BD15-47A1-9FB8-5695202F98CA}=C:\WINDOWS\system32\ssqro.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{D8A0D70E-DCB9-45DA-BE7E-A6966D5548Bb}=C:\WINDOWS\system32\fygwsyga.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 04:00]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-18 16:38]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 18:17]
"hpppta"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" [2001-12-13 02:00]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 15:34]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 12:09]
"DataCaching"="C:\PROGRA~1\DATACA~1\FLashKsk.exe" [2001-11-28 23:55]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-22 23:25]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"smgr"="smgr.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 19:25]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]
"Aeir"="C:\WINDOWS\system32\DOBE~1\explorer.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"


********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 19:09:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 19:10:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-28 19:10

--- E O F ---



HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:13:15 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Hijack This\random.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25F79E4D-FBD9-AC85-AB74-040805A9C156} - C:\WINDOWS\system32\lnkbqod.dll
O2 - BHO: (no name) - {4F53699F-A72C-0C32-04B3-0815AE03CAD5} - C:\WINDOWS\system32\ectjhdc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CF08297-BD15-47A1-9FB8-5695202F98CA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D8A0D70E-DCB9-45DA-BE7E-A6966D5548Bb} - C:\WINDOWS\system32\fygwsyga.dll (file missing)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aeir] "C:\WINDOWS\system32\DOBE~1\explorer.exe" -vt yazb
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 29 May 2007 - 05:49 AM

  • Some of out experts would like to examine the files you are infected with
  • Go to the upload page here
  • Click Browse
  • Find this file:
    • C:\WINDOWS\smgr.exe
  • Select the file, then click Open
  • Click Send File
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Post back with the smitfraudfix log and a new HijackThis log

#7 SilentBob152

SilentBob152
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 29 May 2007 - 06:01 AM

smgr.exe submitted, running smitfraud fix right now.

THANKS!

#8 SilentBob152

SilentBob152
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 29 May 2007 - 06:05 AM

Smitfraud fix generated this report almost instantly:

SmitFraudFix v2.188

Scan done at 6:57:56.51, Tue 05/29/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\QUICKEN\QW.EXE
C:\WINDOWS\system32\cmd.exe

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ hosts


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\Web


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system32


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\WINDOWS\system32\LogFiles


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Documents and Settings\Administrator


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Documents and Settings\Administrator\Application Data


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Start Menu


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\DOCUME~1\ADMINI~1\FAVORI~1


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Desktop


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ C:\Program Files


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Corrupted keys


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Desktop Components



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ pe386-msguard-lzx32-huy32-xpdt



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ DNS

Description: Intel® 82566DC Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{038B1C6B-D04F-4273-936F-A3D042576798}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{038B1C6B-D04F-4273-936F-A3D042576798}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{038B1C6B-D04F-4273-936F-A3D042576798}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Scanning for wininet.dll infection


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ End



Here is the most current HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 7:00:28 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\QUICKEN\QW.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Hijack This\random.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25F79E4D-FBD9-AC85-AB74-040805A9C156} - C:\WINDOWS\system32\lnkbqod.dll
O2 - BHO: (no name) - {4F53699F-A72C-0C32-04B3-0815AE03CAD5} - C:\WINDOWS\system32\ectjhdc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CF08297-BD15-47A1-9FB8-5695202F98CA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D8A0D70E-DCB9-45DA-BE7E-A6966D5548Bb} - C:\WINDOWS\system32\fygwsyga.dll (file missing)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aeir] "C:\WINDOWS\system32\DOBE~1\explorer.exe" -vt yazb
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanks again for all your help. I will be anxiously awaiting a reply! :thumbsup:

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 29 May 2007 - 06:41 AM

Then please upload this file:

C:\WINDOWS\system32\rundll32.exe

To either jotti or virustotal

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

If exist "%windir%\search.txt" del /q "%windir%\search.txt"
FOR %%D IN (
"C:\WINDOWS\kriu"
"C:\Program Files\Common Files\kriu"
"C:\WINDOWS\UGF1bCBIYXJyaXM"
) DO (
attrib -r -s -h %%D
dir /a /s %%D >> "%windir%\search.txt"
)
notepad.exe "%windir%\search.txt"
del /q "%windir%\search.txt"


Save it to your Desktop as search.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: search.bat

Locate search.bat on your Desktop and double-click it. A notepad window will open, please post the contents of that window along with the jotti/virustotal results

#10 SilentBob152

SilentBob152
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 29 May 2007 - 08:36 AM

Man, you folks are so awesome for helping me so much with this.

Here is the search.bat log that was generated:

Volume in drive C has no label.
Volume Serial Number is 60AC-76A0

Directory of C:\WINDOWS\kriu

05/02/2007 11:13 AM <DIR> .
05/02/2007 11:13 AM <DIR> ..
05/02/2007 11:16 AM 4,391 kriu.dat
07/26/2002 05:02 PM 153,088 wu
2 File(s) 157,479 bytes

Total Files Listed:
2 File(s) 157,479 bytes
2 Dir(s) 138,600,411,136 bytes free
Volume in drive C has no label.
Volume Serial Number is 60AC-76A0

Directory of C:\Program Files\Common Files\kriu

05/04/2007 08:35 AM <DIR> .
05/04/2007 08:35 AM <DIR> ..
05/02/2007 11:13 AM 0 kriua.lck
05/04/2007 08:35 AM <DIR> kriud
05/03/2007 09:58 PM 1,536 kriuh
05/02/2007 11:14 AM 0 kriul.lck
05/02/2007 11:13 AM 0 krium.lck
05/03/2007 04:24 PM 0 kriup.lck
5 File(s) 1,536 bytes

Directory of C:\Program Files\Common Files\kriu\kriud

05/04/2007 08:35 AM <DIR> .
05/04/2007 08:35 AM <DIR> ..
04/19/2004 09:26 PM 4,933,375 class-barrel
04/19/2004 09:26 PM 1,234,193 vocabulary
2 File(s) 6,167,568 bytes

Total Files Listed:
7 File(s) 6,169,104 bytes
5 Dir(s) 138,600,394,752 bytes free
Volume in drive C has no label.
Volume Serial Number is 60AC-76A0

Directory of C:\WINDOWS\UGF1bCBIYXJyaXM

05/04/2007 08:35 AM <DIR> .
05/04/2007 08:35 AM <DIR> ..
07/29/2005 04:24 PM 472 o3IYvF1KsrLVurg.vbs
1 File(s) 472 bytes

Total Files Listed:
1 File(s) 472 bytes
2 Dir(s) 138,600,394,752 bytes free


and here are the virustotal results:


Complete scanning result of "rundll32.exe", received in VirusTotal at 05.29.2007, 15:21:02 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.29.2007 no virus found
AntiVir 7.4.0.27 05.29.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.29.2007 no virus found
AVG 7.5.0.467 05.28.2007 no virus found
BitDefender 7.2 05.29.2007 no virus found
CAT-QuickHeal 9.00 05.29.2007 no virus found
ClamAV devel-20070416 05.29.2007 no virus found
DrWeb 4.33 05.29.2007 no virus found
eSafe 7.0.15.0 05.28.2007 no virus found
eTrust-Vet 30.7.3672 05.29.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.29.2007 No threat detected
Fortinet 2.85.0.0 05.29.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.29.2007 no virus found
Ikarus T3.1.1.8 05.29.2007 no virus found
Kaspersky 4.0.2.24 05.29.2007 no virus found
McAfee 5040 05.28.2007 no virus found
Microsoft 1.2503 05.29.2007 no virus found
NOD32v2 2295 05.29.2007 no virus found
Norman 5.80.02 05.29.2007 no virus found
Panda 9.0.0.4 05.28.2007 no virus found
Prevx1 V2 05.29.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.29.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.28.2007 no virus found
Webwasher-Gateway 6.0.1 05.29.2007 no virus found

Aditional Information
File size: 33280 bytes
MD5: da285490bbd8a1d0ce6623577d5ba1ff
SHA1: c466b4f4c2600fd62fbe943d8049afd0f6606f48
Bit9 info: http://fileadvisor.bit9.com/services/extin...e6623577d5ba1ff

That didn't paste very well, so I took a screenshot of my results and have attached them to this post.

Just in case you need it, here is a current HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 9:32:03 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\QUICKEN\QW.EXE
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Hijack This\random.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25F79E4D-FBD9-AC85-AB74-040805A9C156} - C:\WINDOWS\system32\lnkbqod.dll
O2 - BHO: (no name) - {4F53699F-A72C-0C32-04B3-0815AE03CAD5} - C:\WINDOWS\system32\ectjhdc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CF08297-BD15-47A1-9FB8-5695202F98CA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D8A0D70E-DCB9-45DA-BE7E-A6966D5548Bb} - C:\WINDOWS\system32\fygwsyga.dll (file missing)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aeir] "C:\WINDOWS\system32\DOBE~1\explorer.exe" -vt yazb
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

THANKS!!!

Attached Files



#11 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 29 May 2007 - 08:58 AM

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

del /q C:\WINDOWS\smgr.exe
del /q C:\WINDOWS\system32\sysmon32.exe
del /q C:\WINDOWS\system32\jzhfbag.dll
del /q C:\WINDOWS\system32\lnkbqod.dll
del /q C:\WINDOWS\system32\jpyuyzd.dll
del /q C:\WINDOWS\system32\ectjhdc.dll
rmdir /q /s C:\WINDOWS\kriu
rmdir /q /s "C:\Program Files\Common Files\kriu"
rmdir /q /s "C:\WINDOWS\UGF1bCBIYXJyaXM"


Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {25F79E4D-FBD9-AC85-AB74-040805A9C156} - C:\WINDOWS\system32\lnkbqod.dll
O2 - BHO: (no name) - {4F53699F-A72C-0C32-04B3-0815AE03CAD5} - C:\WINDOWS\system32\ectjhdc.dll
O2 - BHO: (no name) - {5CF08297-BD15-47A1-9FB8-5695202F98CA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: (no name) - {D8A0D70E-DCB9-45DA-BE7E-A6966D5548Bb} - C:\WINDOWS\system32\fygwsyga.dll (file missing)
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKCU\..\Run: [Aeir] "C:\WINDOWS\system32\DOBE~1\explorer.exe" -vt yazb

Then close all windows except HijackThis and click Fix Checked

Restart

Locate cleanup.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log and a new HijackThis log

#12 SilentBob152

SilentBob152
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 29 May 2007 - 10:33 AM

Thanks!

Here is the Kaspersky log:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 29, 2007 11:27:18 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/05/2007
Kaspersky Anti-Virus database records: 333822
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 122511
Number of viruses found: 43
Number of infected objects: 186 / 0
Number of suspicious objects: 1
Duration of the scan process: 00:57:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\1177900864477[1].gif.bac_a00372 Infected: Trojan-Downloader.Win32.Agent.bnc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\1177938988809[1].gif.bac_a00372 Infected: Trojan-Downloader.Win32.Agent.bnc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\2[1].jpg.bac_a00372 Suspicious: Exploit.Win32.IMG-ANI.gen skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\45aTq2V13X[1].exe.bac_a00372 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\45aTq2V13X[1].exe.bac_a03628 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\5ac853d5-2f1726b3.bac_a03808/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\5ac853d5-2f1726b3.bac_a03808 ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\5ac853d5-2f1726b3.bac_a03808 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\687af3ea-5b9f6ad7.bac_a03808/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\687af3ea-5b9f6ad7.bac_a03808/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\687af3ea-5b9f6ad7.bac_a03808/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\687af3ea-5b9f6ad7.bac_a03808 ZIP: infected - 3 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\687af3ea-5b9f6ad7.bac_a03808 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03628/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03628/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03628 NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\b122.exe.bac_a03628 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\drvzal.dll.bac_a03628 Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mst376.tmp.bac_a03628 Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\retadpu1000272.exe.bac_a03628 Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\v7.exe.bac_a00372 Infected: Trojan-Clicker.Win32.Agent.jc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\v7.exe.bac_a03628 Infected: Trojan-Clicker.Win32.Agent.jc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\vwsrv.exe.bac_a00372 Infected: Trojan-Downloader.Win32.Agent.bnc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win174.tmp.exe.bac_a03628 Infected: Trojan-Clicker.Win32.Agent.jc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win176.tmp.exe.bac_a03628 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win30.tmp.exe.bac_a00372 Infected: Trojan-Clicker.Win32.Agent.jc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win32.tmp.exe.bac_a00372 Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win375.tmp.exe.bac_a03628 Infected: Trojan-Spy.Win32.Agent.or skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win37A.tmp.exe.bac_a03628/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win37A.tmp.exe.bac_a03628 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win37A.tmp.exe.bac_a03628 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xc23[1].exe.bac_a00372 Infected: Trojan-Clicker.Win32.Agent.jc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xc23[1].exe.bac_a03628 Infected: Trojan-Clicker.Win32.Agent.jc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xc29[1].exe.bac_a03628 Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xc36[1].exe.bac_a03628 Infected: Trojan-Spy.Win32.Agent.or skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xc42[1].exe.bac_a03628/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xc42[1].exe.bac_a03628 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xc42[1].exe.bac_a03628 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\xtv.dll.bac_a03628 Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\16\4e807890-2878562d/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\16\4e807890-2878562d/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\16\4e807890-2878562d/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\16\4e807890-2878562d ZIP: infected - 3 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\18\69391a12-5182b7ae/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\18\69391a12-5182b7ae/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\18\69391a12-5182b7ae/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\18\69391a12-5182b7ae ZIP: infected - 3 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\21\2bf1fe15-26ef3d8f/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\21\2bf1fe15-26ef3d8f/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\21\2bf1fe15-26ef3d8f/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\21\2bf1fe15-26ef3d8f ZIP: infected - 3 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\38\458ac9a6-761d72a0/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\38\458ac9a6-761d72a0/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\38\458ac9a6-761d72a0/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\38\458ac9a6-761d72a0 ZIP: infected - 3 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\42\687af3ea-5b9f6ad7/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\42\687af3ea-5b9f6ad7 ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\51\487f7e33-4f589bd8/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\51\487f7e33-4f589bd8/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\51\487f7e33-4f589bd8/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\51\487f7e33-4f589bd8 ZIP: infected - 3 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\60\3bd7e57c-11b4991b/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\60\3bd7e57c-11b4991b/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\60\3bd7e57c-11b4991b ZIP: infected - 2 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-5191bdac/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-5191bdac/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-5191bdac/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\61\53a8e43d-5191bdac ZIP: infected - 3 skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_808.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_c98.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Hijack This\backups\backup-20070529-100653-605.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Hijack This\backups\backup-20070529-100654-981.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\avp.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.b skipped
C:\QooBox\Quarantine\C\WINDOWS\svchost.exe.vir Infected: Trojan-Spy.Win32.Agent.or skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\abhngrsw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cchwxgcp.dll.vir Infected: Packed.Win32.Klone.j skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\klikalka.exe.vir Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ticystqr.dll.vir Infected: Packed.Win32.Klone.j skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winjvd32.dll.vir Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP185\A0013163.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP185\A0013439.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP188\A0013553.exe Infected: Trojan-Downloader.Win32.PurityScan.dt skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP189\A0013720.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP189\A0013721.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP189\A0013721.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP189\A0013721.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP189\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP189\snapshot\MFEX-2.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP189\snapshot\MFEX-3.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP190\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP190\snapshot\MFEX-2.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP190\snapshot\MFEX-3.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013737.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013741.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013743.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013744.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013744.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013744.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013744.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013744.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013744.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013750.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013757.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013817.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013817.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013817.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\A0013829.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\snapshot\MFEX-2.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP191\snapshot\MFEX-3.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP192\A0013934.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP198\A0014210.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP200\A0014265.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP203\A0014411.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP203\A0014412.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP203\A0014466.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP204\A0014664.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP204\A0014665.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP209\A0014901.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP210\A0014963.exe Infected: not-virus:Hoax.Win32.Renos.gk skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP210\A0014964.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP210\A0015018.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP210\A0015023.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP210\A0015023.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP210\A0015023.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP212\A0015058.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP212\A0017154.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP212\A0017155.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP212\A0017156.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP212\A0017157.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP212\A0018058.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP212\A0018059.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP212\A0018061.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP216\A0018152.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP216\A0018155.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP216\A0018184.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP216\A0018199.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018586.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018587.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018588.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018589.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.io skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018590.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018591.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018592.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018593.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018594.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.iy skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018595.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018596.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jh skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018597.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018598.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018602.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018631.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018632.exe Infected: Trojan-Downloader.Win32.Alphabet.b skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018633.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018634.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kb skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018635.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018636.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018637.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018725.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018727.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018728.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018729.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\A0018730.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\System Volume Information\_restore{6F43099A-6293-4113-8B1A-13B52668772C}\RP219\change.log Object is locked skipped
C:\VundoFix Backups\cbxuvts.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\dlqgedao.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\efcayyy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\efccaaa.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.io skipped
C:\VundoFix Backups\idknqdbb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\jkkiggg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\kfyyjwla.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\VundoFix Backups\ljjgded.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\mljiife.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ssqro.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.iy skipped
C:\VundoFix Backups\urqopqr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\vturspq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jh skipped
C:\VundoFix Backups\wbrjquoo.dll.bad Infected: Trojan.Win32.BHO.o skipped
C:\VundoFix Backups\wvuvsqp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\b103.exe/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\WINDOWS\b103.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b103.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b103.exe NSIS: infected - 3 skipped
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{91286B8B-F4E5-46DD-ACCC-055DC1BE8AE6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Updated HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 11:29:12 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Opera\Opera.exe
C:\Hijack This\random.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#13 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 29 May 2007 - 12:26 PM

Hows it running now?

#14 SilentBob152

SilentBob152
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 29 May 2007 - 12:47 PM

Much, much better than before!

Does it look clean? The Kaspersky scan found a bunch of stuff, but it looked like most of it was quarantined by Housecall.

Thank you a million times over for all your help. Is there anything else you'd recommend I do or does it look pretty clean?

Thank you again!

#15 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 29 May 2007 - 01:57 PM

  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
Use windows explorer to find and delete these files:


C:\WINDOWS\b104.exe
C:\WINDOWS\b103.exe
C:\Hijack This\backups\backup-20070529-100654-981.dll
C:\Hijack This\backups\backup-20070529-100653-605.dll

And these folders:

C:\VundoFix Backups\
C:\QooBox\

For these two folders, delete the contents of the folder, but not the folder itself

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\

Post back with a final HijackThis log for review




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users