Computer infection - hijackthis log posted

I work for a non-profit agency w/no IT Dept so any help is greatly appreciated. Computer has a few bugs: Desktop has been replaced by a notice saying that the computer is "infected". Plus I'm getting the "you're infected" pop-ups, etc.

I've run Spy-bot several times and it got rid of some stuff but some items continue to return.

Here's the log from Hijackthis - would someone be kind enough to let me know how to proceed?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:49 PM, on 4/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA5754] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8304] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7611 bytes

 

Any help, please?

 

Hey catdrugn,

Please be patient while I review your log, and please do NOT download or fix anything until I give you instructions to. Thanks for your patience.

~Ltangel~

 

Hey catdrugn,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

[*]Please, never rename Combofix unless instructed.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------


[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[*]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[*]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------
[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Go!

~Ltangel~

 

Thanks ltangel, I'll get to work on this as soon as I get off shift!

 

Ltangel, thanks for your instructions and your patience.

Combo log and hijack log are as follows:

ComboFix 08-04-15.1 - Administrator 2008-04-15 20:29:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.257 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\4.tmp
C:\A.tmp
C:\D.tmp
C:\Documents and Settings\Administrator\Application Data\WinIFixer.com
C:\Documents and Settings\valor\Application Data\YSTEM~1
C:\Program Files\AntiVirusPro
C:\Program Files\Outlook Express\pywefene89104.dll
C:\Program Files\wnsxs~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\iee
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\BM5ff71d4c.xml
C:\WINDOWS\braviax.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cru629.dat
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\000070.exe
C:\WINDOWS\SYSTEM32\000090.exe
C:\WINDOWS\SYSTEM32\48833.exe
C:\WINDOWS\SYSTEM32\almjwgpi.ini
C:\WINDOWS\system32\awttrrr.dll
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\bxsosaqj.dll
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\d4
C:\WINDOWS\system32\d4\thudll5502.exe
C:\WINDOWS\system32\dfmtecst.dll
C:\WINDOWS\system32\drivers\Eim61.sys
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\USB80233.sys
C:\WINDOWS\system32\drivers\VGY41.sys
C:\WINDOWS\system32\e5
C:\WINDOWS\system32\fccaxwx.dll
C:\WINDOWS\system32\ffynhckl.dll
C:\WINDOWS\system32\fotxkxyp.dll
C:\WINDOWS\system32\g7
C:\WINDOWS\system32\g7\nopz89104.exe
C:\WINDOWS\system32\hanhgqxk.dll
C:\WINDOWS\system32\hwtbafpe.dll
C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\iDlo01\iDlo011065.exe
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\ihpvnqgn.dll
C:\WINDOWS\system32\ipgwjmla.dll
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\SYSTEM32\iunfprlr.ini
C:\WINDOWS\system32\jpsdasir.dll
C:\WINDOWS\SYSTEM32\jqasosxb.ini
C:\WINDOWS\system32\judyhlsn.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nohwuljr.dll
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnmmmn.dll
C:\WINDOWS\SYSTEM32\pqtss.ini
C:\WINDOWS\SYSTEM32\pqtss.ini2
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\rlrpfnui.dll
C:\WINDOWS\system32\rqrspmk.dll
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\SYSTEM32\tscetmfd.ini
C:\WINDOWS\system32\urqrpnm.dll
C:\WINDOWS\system32\users32.da_
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\vhaeqqcc.dll
C:\WINDOWS\system32\w8
C:\WINDOWS\system32\w8\jecolb14.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\xxyayyy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_DHLP
-------\Legacy_EIM61
-------\Legacy_LANMANDRV
-------\Legacy_NETWORK_MONITOR
-------\Legacy_USB80233
-------\Legacy_VGY41
-------\Service_Eim61
-------\Service_lanmandrv
-------\Service_USB80233
-------\Service_Vgy41
-------\Service_VGY41


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 20:21 . 2008-04-15 20:21 47,104 --a------ C:\20.tmp
2008-04-15 20:21 . 2008-04-15 20:21 47,104 --a------ C:\1F.tmp
2008-04-15 20:21 . 2008-04-15 20:21 0 --a------ C:\25.tmp
2008-04-15 20:21 . 2008-04-15 20:21 0 --a------ C:\24.tmp
2008-04-15 20:21 . 2008-04-15 20:21 0 --a------ C:\23.tmp
2008-04-15 20:21 . 2008-04-15 20:21 0 --a------ C:\22.tmp
2008-04-10 23:19 . 2008-04-10 23:19 167,545 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-04-08 14:23 . 2008-04-08 14:24 48,640 --a------ C:\21.tmp
2008-04-08 14:23 . 2008-04-08 14:23 47,104 --a------ C:\13.tmp
2008-04-08 14:23 . 2008-04-08 14:23 2 --a------ C:\1E.tmp
2008-04-08 14:23 . 2008-04-08 14:23 0 --a------ C:\14.tmp
2008-04-08 13:56 . 2008-04-08 15:32 2,932 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-08 13:53 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-08 13:53 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-08 13:53 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-08 13:53 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-08 13:53 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-08 13:53 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-08 13:53 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-08 13:17 . 2008-04-08 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 12:05 . 2008-04-08 12:05 0 --a------ C:\1D.tmp
2008-04-08 12:04 . 2008-04-08 12:04 2 --a------ C:\12.tmp
2008-04-08 12:04 . 2008-04-08 12:04 0 --a------ C:\E.tmp
2008-04-08 12:04 . 2008-04-08 12:04 0 --a------ C:\1C.tmp
2008-04-08 12:04 . 2008-04-08 12:04 0 --a------ C:\1B.tmp
2008-04-08 11:22 . 2008-04-08 11:22 0 --a------ C:\F.tmp
2008-04-08 11:22 . 2008-04-08 11:22 0 --a------ C:\11.tmp
2008-04-08 11:22 . 2008-04-08 11:22 0 --a------ C:\10.tmp
2008-04-08 11:21 . 2008-04-08 11:21 2 --a------ C:\C.tmp
2008-04-08 11:21 . 2008-04-08 11:21 0 --a------ C:\B.tmp
2008-04-08 10:36 . 2008-04-08 10:36 0 --a------ C:\9.tmp
2008-04-08 10:36 . 2008-04-08 10:36 0 --a------ C:\8.tmp
2008-04-08 10:35 . 2008-04-08 10:35 2 --a------ C:\6.tmp
2008-04-08 10:35 . 2008-04-08 10:35 0 --a------ C:\7.tmp
2008-04-08 10:35 . 2008-04-08 10:35 0 --a------ C:\5.tmp
2008-04-08 10:30 . 2008-04-08 15:04 481 --a------ C:\WINDOWS\wininit.ini
2008-04-08 10:00 . 2008-04-08 10:00 3,648 --a------ C:\WINDOWS\SYSTEM32\mbreseti.dll
2008-04-08 09:49 . 2008-04-08 09:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 09:49 . 2008-04-08 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 09:46 . 2008-04-08 09:46 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-04-08 09:46 . 2008-04-08 09:46 114,688 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-04-08 09:46 . 2008-04-08 09:46 40,960 --a------ C:\WINDOWS\SYSTEM32\zentray.exe
2008-04-08 09:46 . 2008-04-08 09:46 28,672 --a------ C:\WINDOWS\SYSTEM32\dpmw32.exe
2008-04-08 09:45 . 2008-04-08 09:45 0 --a------ C:\1A.tmp
2008-04-08 09:44 . 2008-04-08 09:44 0 --a------ C:\19.tmp
2008-04-08 09:44 . 2008-04-08 09:44 0 --a------ C:\18.tmp
2008-04-08 09:43 . 2008-04-08 09:44 47,104 --a------ C:\15.tmp
2008-04-08 09:43 . 2008-04-08 09:44 2 --a------ C:\17.tmp
2008-04-08 09:43 . 2008-04-08 09:43 0 --a------ C:\16.tmp
2008-04-08 09:42 . 2008-04-08 09:42 269,334 --a------ C:\WINDOWS\SYSTEM32\cbihknidor.bmp
2008-04-08 09:05 . 2008-04-08 10:06 414 --ahs---- C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
2008-04-08 08:54 . 2008-04-08 08:54 269,334 --a------ C:\WINDOWS\SYSTEM32\ofetsbqdojmtgf.bmp
2008-04-08 08:50 . 2008-04-08 08:50 269,334 --a------ C:\WINDOWS\SYSTEM32\ahobihsjipgf.bmp
2008-03-21 11:38 . 2008-03-21 11:38 269,334 --a------ C:\WINDOWS\SYSTEM32\kbahojmtkbql.bmp
2008-03-21 11:27 . 2008-03-21 11:36 <DIR> d-------- C:\Program Files\Spy-Rid
2008-03-21 11:27 . 2008-03-21 11:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\spy-rid.com
2008-03-21 11:24 . 2008-03-21 11:24 269,334 --a------ C:\WINDOWS\SYSTEM32\nqhsjmhobql.bmp
2008-03-21 04:27 . 2008-03-21 04:27 269,334 --a------ C:\WINDOWS\SYSTEM32\gbitknedkjih.bmp
2008-03-21 03:41 . 2008-03-21 03:41 31,355 ---hs---- C:\WINDOWS\SYSTEM32\DRIVERS\ctfmon.exe
2008-03-21 02:40 . 2008-03-21 02:40 269,334 --a------ C:\WINDOWS\SYSTEM32\ihcbatkbmhon.bmp
2008-03-21 02:35 . 2008-03-21 02:35 269,334 --a------ C:\WINDOWS\SYSTEM32\epsjmlsnml.bmp
2008-03-21 01:34 . 2008-03-21 01:34 269,334 --a------ C:\WINDOWS\SYSTEM32\ihcbalkbmh.bmp
2008-03-21 00:59 . 2008-03-21 00:59 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-21 00:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-21 00:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-03-20 07:15 . 2008-03-20 07:15 269,334 --a------ C:\WINDOWS\SYSTEM32\ahonitkfqd.bmp
2008-03-20 06:01 . 2008-03-20 06:01 269,334 --a------ C:\WINDOWS\SYSTEM32\ehkjqhsral.bmp
2008-03-20 02:48 . 2008-03-20 02:48 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-20 02:17 . 2008-03-20 02:17 <DIR> d-------- C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com
2008-03-20 02:16 . 2008-03-20 02:25 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-03-19 23:13 . 2008-03-19 23:13 269,334 --a------ C:\WINDOWS\SYSTEM32\kjmhobehsnahcj.bmp
2008-03-19 06:29 . 2008-03-19 06:29 269,334 --a------ C:\WINDOWS\SYSTEM32\fihorqhcbel.bmp
2008-03-19 06:03 . 2008-03-19 06:03 47,104 --a------ C:\bCST.exe
2008-03-19 05:51 . 2008-03-19 05:51 269,334 --a------ C:\WINDOWS\SYSTEM32\mhofml.bmp
2008-03-19 05:49 . 2008-03-19 05:49 59,392 --a------ C:\qcojteuj.exe
2008-03-19 05:49 . 2008-03-19 05:49 58,368 --a------ C:\ihso.exe
2008-03-19 05:49 . 2008-03-19 05:49 14,336 --a------ C:\opgr.exe
2008-03-19 05:49 . 2008-03-19 05:49 13,824 --a------ C:\dgfus.exe
2008-03-19 05:49 . 2008-03-19 05:49 92 --a------ C:\delself.bat
2008-03-19 05:26 . 2008-03-19 05:26 269,334 --a------ C:\WINDOWS\SYSTEM32\gbmlgjelkreh.bmp
2008-03-19 04:22 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-03-19 04:22 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-03-19 04:22 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-03-19 04:22 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-03-19 04:18 . 2008-03-20 03:31 1,533,190 --ahs---- C:\WINDOWS\SYSTEM32\mmfpmjvk.ini
2008-03-19 03:17 . 2004-03-29 18:48 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2008-03-19 03:17 . 2004-03-10 10:59 593,408 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\xpsp2res.dll
2008-03-19 03:17 . 2004-03-29 18:48 548,352 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll
2008-03-19 03:17 . 2004-03-29 18:48 439,808 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2008-03-19 03:17 . 2004-03-29 18:48 253,440 --a------ C:\WINDOWS\SYSTEM32\h323.tsp
2008-03-19 03:17 . 2004-03-29 18:48 40,960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\evtgprov.dll
2008-03-19 03:17 . 2004-03-29 18:48 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2008-03-19 03:13 . 2005-10-20 15:33 991,232 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-03-19 03:07 . 2008-03-19 03:07 269,334 --a------ C:\WINDOWS\SYSTEM32\itkfqtgrmh.bmp
2008-03-19 01:27 . 2008-03-19 01:27 269,334 --a------ C:\WINDOWS\SYSTEM32\mhcnipknmh.bmp
2008-03-18 23:08 . 2008-03-18 23:08 269,334 --a------ C:\WINDOWS\SYSTEM32\japgn.bmp
2008-03-18 02:10 . 2008-03-18 02:10 269,334 --a------ C:\WINDOWS\SYSTEM32\psfepcbmlkr.bmp
2008-03-18 01:53 . 2008-03-18 04:37 19,968 --a------ C:\DO NOT USE INTERNET UNTIL THE SYSTEM CAN BE CLEANED OF SPYWARE.doc
2008-03-18 01:49 . 2008-03-18 01:49 269,334 --a------ C:\WINDOWS\SYSTEM32\srqdgnepcrihgf.bmp
2008-03-18 01:12 . 2008-03-18 01:12 269,334 --a------ C:\WINDOWS\SYSTEM32\sralsfmlsbqpcr.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 20:07 --------- d-----w C:\Program Files\DivX
2008-04-08 17:35 --------- d-----w C:\Program Files\QuickTime
2008-03-15 17:30 --------- d-----w C:\Documents and Settings\valor\Application Data\TrustedAntivirus
2008-03-15 17:29 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-14 11:53 0 --sha-w C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
2008-03-13 12:17 844 ----a-w C:\Documents and Settings\valor\win.exe
2008-03-09 03:05 --------- d-----w C:\Program Files\Java
2008-02-12 20:46 3,113,024 ----a-w C:\Program Files\ica32t.exe
2007-07-16 17:31 18,164,640 ----a-w C:\Program Files\aaw2007.exe
2006-12-07 16:28 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
.
Files Infected - Win32.Agent.zb
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DD62512-6C11-42C9-9BD8-846B13B3D524}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF421255-5C36-4B91-A162-E19F4813419F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-04-08 09:46 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-04-08 09:46 114688]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-08 09:46 135251]
"NDPS"="C:\WINDOWS\System32\dpmw32.exe" [2008-04-08 09:46 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-04-08 09:46 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-04-08 09:46 286720]
"braviax"="braviax.exe" []
"NWTRAY"="NWTRAY.EXE" [2001-12-18 10:24 28672 C:\WINDOWS\SYSTEM32\nwtray.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7581"="command /c del C:\WINDOWS\SYSTEM32\wsnpoem\video.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\Program Files\Novell\ZENworks\NalExpEx.dll [2003-05-05 18:34 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrspmk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim61.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 02:52]
R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 02:31]
R2 BlankScr;HBDevice;C:\WINDOWS\System32\drivers\BlankScr.sys [2003-03-18 15:26]
R2 Kblock;Kblock;C:\WINDOWS\System32\drivers\Kblock.sys [2003-03-18 12:16]
R2 Mouslock;Mouslock;C:\WINDOWS\System32\drivers\Mouslock.sys [2003-03-18 12:16]
R2 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe [2003-03-18 11:40]
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2003-05-22 11:59]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2002-08-29 03:00]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2003-03-10 16:10]
S3 nscmnt;Novell Local Security Context Manager;C:\WINDOWS\System32\drivers\novell\nscmnt.sys [2002-07-12 07:36]
S3 xauthnt;Novell XTier Authentication Service;C:\WINDOWS\System32\drivers\novell\xauthnt.sys [2002-06-17 12:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 19:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 20:41:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\ntos.exe 516608 bytes executable
C:\WINDOWS\system32\wsnpoem

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-04-15 20:45:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 03:45:31

Pre-Run: 30,814,105,600 bytes free
Post-Run: 30,768,300,032 bytes free
.
2008-03-21 10:10:53 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:01 PM, on 4/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7507 bytes


I'll leave computer as is and await further instructions - thank you!

 

Hey,

Thanks for posting the logs requested, it'll take a while for me to look at it. Please be patient and don't download/fix anything meanwhile. If there are any furthur problems arising, please post on here.

~Ltangel~

 

Hey catdrugn,

Important!You have a trojan on your computer that can steal your private information such as passwords, account details etc. It is extremely crucial to notify your bank or any other relevant organisations to change your personal details if you have ever entered these information on the computer!

Please read through the entire instructions and make sure you understand them before proceeding to commence.

From your log, you are seriously infected with several malware, but we'll remove all of them.

Before we proceed with the fix, please disable all your resident protection on your computer. (In this case, please disable Spybot Teatimer)

1) Scan with SmitfraudFix

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


2) Scan with F-Secure Blacklight

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.

[*]Open a command window by going to Start > Run and typing: cmd
[*]Copy/paste or type the following in the command window: C:\fsbl.exe /expert
[*]Hit "Enter" to start the program and then close the cmd box.
[*]Accept the user agreement and click "Next".
[*]Click "Scan".
[*]After the scan is complete, click "Next", then "Exit".
[*]BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
[*]The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
[*]Exit Blacklight and post the contents of the log in your next reply.

In your next reply (please include):

F-Secure Blacklight scan log
SmitfraudFix report

Go!

~Ltangel~

 

Ltangel,

F-Secure Blacklight scan log and Smitfraudfix report are as follows:

04/16/08 08:18:58 [Info]: BlackLight Engine 1.0.70 initialized
04/16/08 08:18:58 [Info]: OS: 5.1 build 2600 (Service Pack 1)
04/16/08 08:18:58 [Note]: 7019 4
04/16/08 08:18:58 [Note]: 7005 0
04/16/08 08:19:06 [Note]: 7006 0
04/16/08 08:19:06 [Note]: 7022 0
04/16/08 08:19:06 [Note]: 7011 704
04/16/08 08:19:06 [Note]: 7035 0
04/16/08 08:19:06 [Note]: 7026 0
04/16/08 08:19:06 [Note]: 7026 0
04/16/08 08:19:08 [Note]: FSRAW library version 1.7.1024
04/16/08 08:23:24 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\ntos.exe
04/16/08 08:23:24 [Note]: 7002 0
04/16/08 08:23:24 [Note]: 7003 1
04/16/08 08:23:24 [Note]: 10002 1
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\00014541.uf
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\audio.dll
04/16/08 08:23:28 [Note]: 7002 0
04/16/08 08:23:28 [Note]: 7003 1
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\video.dll
04/16/08 08:23:28 [Note]: 7002 0
04/16/08 08:23:28 [Note]: 7003 1
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:25:01 [Note]: 2000 1012
04/16/08 08:25:01 [Note]: 2000 1012
04/16/08 08:28:18 [Note]: 7007 0


SmitFraudFix v2.314

Scan done at 8:13:04.93, Wed 04/16/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\ntos.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/1000 MT Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.12
DNS Server Search Order: 68.105.29.12
DNS Server Search Order: 68.105.28.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Will await further instruction. Thanks!

 

04/16/08 08:18:58 [Info]: BlackLight Engine 1.0.70 initialized
04/16/08 08:18:58 [Info]: OS: 5.1 build 2600 (Service Pack 1)
04/16/08 08:18:58 [Note]: 7019 4
04/16/08 08:18:58 [Note]: 7005 0
04/16/08 08:19:06 [Note]: 7006 0
04/16/08 08:19:06 [Note]: 7022 0
04/16/08 08:19:06 [Note]: 7011 704
04/16/08 08:19:06 [Note]: 7035 0
04/16/08 08:19:06 [Note]: 7026 0
04/16/08 08:19:06 [Note]: 7026 0
04/16/08 08:19:08 [Note]: FSRAW library version 1.7.1024
04/16/08 08:23:24 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\ntos.exe
04/16/08 08:23:24 [Note]: 7002 0
04/16/08 08:23:24 [Note]: 7003 1
04/16/08 08:23:24 [Note]: 10002 1
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\00014541.uf
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\audio.dll
04/16/08 08:23:28 [Note]: 7002 0
04/16/08 08:23:28 [Note]: 7003 1
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\video.dll
04/16/08 08:23:28 [Note]: 7002 0
04/16/08 08:23:28 [Note]: 7003 1
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:25:01 [Note]: 2000 1012
04/16/08 08:25:01 [Note]: 2000 1012
04/16/08 08:28:18 [Note]: 7007 0


SmitFraudFix v2.314

Scan done at 8:13:04.93, Wed 04/16/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\ntos.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/1000 MT Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.12
DNS Server Search Order: 68.105.29.12
DNS Server Search Order: 68.105.28.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Hi gttdi - I see you've re-posted my latest logs to Ltangel, but I'm not sure why....? Something I should be doing?

 

Hey catdrugn,

Please follow my instructions closely, and ask if you have any doubts.

Ensure that your Spybot teatimer is disabled before fixing.

1) Rename with F-Secure

Now use Blacklight in exactly the same way as before, but when it shows the list of the items found, select each entry (EXCEPT TCPTEST.EXE & WBEMTEST.EXE) and choose to let Blacklite rename them by clicking the Rename button.
[*]Next to each entry, "rename" should appear.
[*]Click "Next".
[*]Blacklight will give you a warning if you are sure. Click "Yes".
[*]Then it will tell you: "Your computer will reboot now"
[*]Click "Yes".


2) Clean with SmitfraudFix

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, a menu with options should appear;
[*]Select the first option, to run Windows in Safe Mode, then press "Enter".
[*]Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


3) Uninstall programs

Please go to Add or Remove Programs in Control Panel, and remove the following programs:

Spy-Rid
EasySpywareCleaner
DivX
PartyGaming

Reboot your computer.


4) Fix with ComboFix

1. Please open Notepad

[*] Click Start , then Run
[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the quotebox below into the Notepad window:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt
[*]A new HijackThis log.

In your next reply (please include):

Fresh HijackThis log
C:\rapport.txt
C:\ComboFix.txt
Description of how the computer is performing

Go!

~Ltangel~

 

Hi Ltangel,

Before I post the logs I want to tell you about a few difficulties from the last set of instructions:

1 - Rename with F-Secure: after the scan, F-Secure showed 4 files to rename:
00014541.uf
audio.dll
ntos.exe
video.dll
I followed the renaming instructions and a new window opened that read "...could not clean c:\windows\system32\ntos.exe"
I clicked ok and let the program finish it's thing.

2 - Cleaning with Smithfraudfix: No problems

3 - Uninstall programs: I went to Control Panel then Add/Delete Programs. The programs to be deleted were not included on the list of programs shown. I was not able to complete this step.

4 - Fix with Combofix: I created the notepad file as instructed. When I drug it to the Combofix icon a very small window opened up with a progress bar in it. One the bar filled up (I hope this makes sense)nothing happened. I was expecting Combofix to open and run again but it did not. Consequently, there was not a new Combofix log in my C drive, only the old log from 4/15.

As far a performance, the computer is running quite normal. There are no spyware pop-ups and my desktop is no longer host to a spyware warning.

But here are the other two logs you asked for (new hijack and rapport):

SmitFraudFix v2.314

Scan done at 13:49:01.28, Thu 04/17/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:42 PM, on 4/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7432 bytes

 

Hey catdrugn,

Good to hear that the alerts are gone and that your computer is running better. About the problems you faced during the fix, do not worry. I'll find another way around.

1) Move malicious files with OTMoveIt2

Please download the OTMoveIt2 by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem.sys
C:\WINDOWS\system32\braviax.exe

[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


2) Fix with ComboFix

Let's try running ComboFix again.

1. Please open Notepad

[*] Click Start , then Run
[*]Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the quotebox below into the Notepad window:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt
[*]A new HijackThis log.

In your next reply (please include):

Fresh HijackThis log
ComboFix.txt
OTMoveIt2 log

~Ltangel~

 

Ltangel,

1) I followed instructions for OTMoveIt2. Here's the log:

File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\wsnpoem.sys not found.
File/Folder C:\WINDOWS\system32\braviax.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04182008_195724

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.


2) I followed instructions for ComboFix. It did the same thing it did before and I could not locate the log in the C: drive. It did not ask for a reboot.


Here's the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:16 PM, on 4/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7306 bytes

Will wait for your reply. THANK YOU!

 

Hey catdrugn,

Strange that ComboFix didn't work, seems like something is blocking it. Let's try the following.

1) Run SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.

[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


2) Run FileFind

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:

• Click on FileFind.exe
• In the box labeled "Directory"
• Enter Drive C:\
  
• In the box labeled "File"
• Enter wsnpoem.sys
  
• Now click on the "Search" button
• Once the utility has found the files click on "Export"
• A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
• NOTE: The notepad is saved on your C:\ drive as "Export.txt"
  
  
  3)Run Dr WebCureIT
  
  Download Dr.Web CureIt to the desktop:
  
• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
  
  
  In your next reply (please include):
  
  Fresh HijackThis log
  Report.txt
  DrWebCureIT scan log
  FileFind log (Export.txt)
  
  Go!
  
  ~Ltangel~

 

Ltangel,

I sure appreciate your determination!

A couple of notes before I post the logs:

When I ran FileFind and searched for wsnpoem.sys, the file "could not be found". Therefore, nothing was exported and the log was blank.

When I scanned with Dr Web, several files were found and I selected "cure" as instructed. One file inparticular (I failed to write down the file name) could not be cured. I had the option of deleting, renaming, or moving but I did none of those since I didn't want to make a choice without your instruction.

Here are the logs (all but the FileFind):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:52 AM, on 4/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 6999 bytes



SDFix: Version 1.172
Run by Administrator on Sat 04/19/2008 at 07:48 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ADGJQT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOBIH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHONIT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\CBIHKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKJQH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EPSJML~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\FIHORQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GBITKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GBMLGJ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\IHCBAL~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\IHCBAT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ITKFQT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JAPGN.BMP - Deleted
C:\WINDOWS\SYSTEM32\KBAHOJ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\KJMHOB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\MDSJQPCB.BMP - Deleted
C:\WINDOWS\SYSTEM32\MHCNIP~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\MHOFML.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQHSJM~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\OFETSB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\POREDSB.BMP - Deleted
C:\WINDOWS\SYSTEM32\PSFEPC~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\REHOJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\SRALSF~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\SRQDGN~1.BMP - Deleted
C:\10.TMP - Deleted
C:\11.TMP - Deleted
C:\14.TMP - Deleted
C:\16.TMP - Deleted
C:\18.TMP - Deleted
C:\19.TMP - Deleted
C:\1A.TMP - Deleted
C:\1B.TMP - Deleted
C:\1C.TMP - Deleted
C:\1D.TMP - Deleted
C:\22.TMP - Deleted
C:\23.TMP - Deleted
C:\24.TMP - Deleted
C:\25.TMP - Deleted
C:\5.TMP - Deleted
C:\7.TMP - Deleted
C:\8.TMP - Deleted
C:\9.TMP - Deleted
C:\B.TMP - Deleted
C:\E.TMP - Deleted
C:\F.TMP - Deleted
C:\12.TMP - Deleted
C:\17.TMP - Deleted
C:\1E.TMP - Deleted
C:\6.TMP - Deleted
C:\C.TMP - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\ctfmon.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed


The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:

C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\QuickTime\QTTask.exe


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 07:53:26
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
"CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 14 Jul 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 14 Jul 2004 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL0269.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL0792.tmp"
Wed 27 Dec 2006 34,816 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1144.tmp"
Wed 27 Dec 2006 34,304 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1170.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1355.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1496.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1630.tmp"
Wed 27 Dec 2006 31,744 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2314.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2535.tmp"
Wed 27 Dec 2006 35,328 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2672.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2906.tmp"
Tue 26 Dec 2006 31,744 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2913.tmp"
Wed 27 Dec 2006 31,744 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL3003.tmp"
Wed 27 Dec 2006 31,744 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL3044.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL3537.tmp"
Wed 27 Dec 2006 35,328 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL3620.tmp"
Wed 27 Dec 2006 32,256 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL4061.tmp"
Wed 27 Dec 2006 34,816 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL4067.tmp"
Mon 17 Sep 2007 32,256 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL0001.tmp"
Mon 17 Sep 2007 30,208 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL0002.tmp"
Mon 17 Sep 2007 36,864 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL0004.tmp"
Mon 17 Sep 2007 32,256 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL0005.tmp"
Mon 17 Sep 2007 35,840 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL1671.tmp"
Mon 17 Sep 2007 30,208 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL3040.tmp"
Mon 17 Sep 2007 32,768 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL3366.tmp"
Mon 17 Sep 2007 29,696 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL3665.tmp"
Thu 20 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT58.tmp"
Thu 20 Mar 2008 101,846,427 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\download\BIT2E.tmp"
Mon 17 Sep 2007 32,256 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL0001.tmp"
Mon 17 Sep 2007 30,208 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL0002.tmp"
Mon 17 Sep 2007 36,864 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL0004.tmp"
Mon 17 Sep 2007 32,256 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL0005.tmp"
Mon 17 Sep 2007 35,840 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL1671.tmp"
Mon 17 Sep 2007 30,208 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL3040.tmp"
Mon 17 Sep 2007 32,768 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL3366.tmp"
Mon 17 Sep 2007 29,696 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL3665.tmp"

Finished!



1falK8pP.exe;C:\WINDOWS\System32;Trojan.Packed.418;Deleted.;
mbreseti.dll;C:\WINDOWS\System32;Trojan.AVKill.408;Deleted.;
Process.exe;C:\WINDOWS\System32;Tool.Prockill;;
uynhuahp.dll;C:\WINDOWS\System32;Trojan.Virtumod.269;Deleted.;
bCST.exe;C:\;Trojan.Packed.424;Deleted.;
qcojteuj.exe;C:\;Trojan.Fakealert.458;Deleted.;


The computer continues to run well AND instead of the blank, blue desktop, the windows desktop is back!


Will await your instructions. THANK YOU!

 

Hey catdrugn,

Good job, your HijackThis log looks much better.

You said there is a file that you can't remove with DrWebCureIt, can you please let me see the scan log please?

Thanks.

~Ltangel~

 

Here's the log from the good doctor:

1falK8pP.exe;C:\WINDOWS\System32;Trojan.Packed.418;Deleted.;
mbreseti.dll;C:\WINDOWS\System32;Trojan.AVKill.408;Deleted.;
Process.exe;C:\WINDOWS\System32;Tool.Prockill;;
uynhuahp.dll;C:\WINDOWS\System32;Trojan.Virtumod.269;Deleted.;
bCST.exe;C:\;Trojan.Packed.424;Deleted.;
qcojteuj.exe;C:\;Trojan.Fakealert.458;Deleted.;



All the files were deleted except for this one:

Process.exe;C:\WINDOWS\System32;Tool.Prockill;;

I remember seeing the "prockill" name in the window that said "file could not be deleted".

Hope that helps.........

 

No worries, process.exe is from SmitfraudFix, a tool we used during the fix.

I'm looking at your logs right now, I'll propose a fix once I'm done.

~Ltangel~