Computer infection - hijackthis log posted

Hey catdrugn,

First, please disable your Spybot Teamtimer by clicking on the SpyBot icon in system tray and selecting Exit Spybot-S&D Resident.

Next, please remove the ComboFix you have now by going to Start>Run and typing ComboFix /u. There should be a confirmation that ComboFix is removed.

Download ComboFix again from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Go!

~Ltangel~

 

Hi Ltangel!

Here are the logs:


ComboFix 08-04-20.2 - Administrator 2008-04-20 17:34:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.249 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\alefdlfh.ini
C:\WINDOWS\SYSTEM32\cvkunnal.ini
C:\WINDOWS\SYSTEM32\gayseknv.ini
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\00014541.uf.ren
C:\WINDOWS\system32\wsnpoem\audio.dll.ren
C:\WINDOWS\system32\wsnpoem\video.dll.ren

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-19 07:59 . 2008-04-19 07:59 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-04-19 07:45 . 2008-04-19 07:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-16 08:12 . 2008-04-16 08:12 1,018,520 --a------ C:\fsbl.exe
2008-04-15 20:21 . 2008-04-15 20:21 47,104 --a------ C:\20.tmp
2008-04-15 20:21 . 2008-04-15 20:21 47,104 --a------ C:\1F.tmp
2008-04-08 14:23 . 2008-04-08 14:24 48,640 --a------ C:\21.tmp
2008-04-08 14:23 . 2008-04-08 14:23 47,104 --a------ C:\13.tmp
2008-04-08 13:56 . 2008-04-17 13:49 2,026 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-08 13:53 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-08 13:53 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-08 13:53 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-08 13:53 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-08 13:53 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-08 13:53 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-08 13:53 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-08 13:17 . 2008-04-08 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 10:30 . 2008-04-08 15:04 481 --a------ C:\WINDOWS\wininit.ini
2008-04-08 09:49 . 2008-04-08 09:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 09:49 . 2008-04-08 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 09:46 . 2008-04-08 09:46 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-04-08 09:46 . 2008-04-08 09:46 114,688 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-04-08 09:46 . 2008-04-08 09:46 40,960 --a------ C:\WINDOWS\SYSTEM32\zentray.exe
2008-04-08 09:46 . 2008-04-08 09:46 28,672 --a------ C:\WINDOWS\SYSTEM32\dpmw32.exe
2008-04-08 09:43 . 2008-04-08 09:44 47,104 --a------ C:\15.tmp
2008-04-08 09:05 . 2008-04-08 10:06 414 --ahs---- C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
2008-03-21 11:27 . 2008-03-21 11:36 <DIR> d-------- C:\Program Files\Spy-Rid
2008-03-21 11:27 . 2008-03-21 11:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\spy-rid.com
2008-03-21 00:59 . 2008-03-21 00:59 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-21 00:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-21 00:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 20:07 --------- d-----w C:\Program Files\DivX
2008-04-08 17:35 --------- d-----w C:\Program Files\QuickTime
2008-03-20 09:25 --------- d-----w C:\Program Files\EasySpywareCleaner
2008-03-20 09:17 --------- d-----w C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com
2008-03-19 12:49 92 ----a-w C:\delself.bat
2008-03-19 12:49 58,368 ----a-w C:\ihso.exe
2008-03-19 12:49 14,336 ----a-w C:\opgr.exe
2008-03-19 12:49 13,824 ----a-w C:\dgfus.exe
2008-03-15 17:30 --------- d-----w C:\Documents and Settings\valor\Application Data\TrustedAntivirus
2008-03-14 11:53 0 --sha-w C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
2008-03-13 12:17 844 ----a-w C:\Documents and Settings\valor\win.exe
2008-03-09 03:05 --------- d-----w C:\Program Files\Java
2008-02-12 20:46 3,113,024 ----a-w C:\Program Files\ica32t.exe
2007-07-16 17:31 18,164,640 ----a-w C:\Program Files\aaw2007.exe
2006-12-07 16:28 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
.
Files Infected - Win32.Agent.zb
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-04-08 09:46 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-04-08 09:46 114688]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-08 09:46 135251]
"NDPS"="C:\WINDOWS\System32\dpmw32.exe" [2008-04-08 09:46 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-04-08 09:46 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-04-08 09:46 286720]
"NWTRAY"="NWTRAY.EXE" [2001-12-18 10:24 28672 C:\WINDOWS\SYSTEM32\nwtray.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7581"="command /c del C:\WINDOWS\SYSTEM32\wsnpoem\video.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\Program Files\Novell\ZENworks\NalExpEx.dll [2003-05-05 18:34 131072]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim61.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 02:52]
R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 02:31]
R2 BlankScr;HBDevice;C:\WINDOWS\System32\drivers\BlankScr.sys [2003-03-18 15:26]
R2 Kblock;Kblock;C:\WINDOWS\System32\drivers\Kblock.sys [2003-03-18 12:16]
R2 Mouslock;Mouslock;C:\WINDOWS\System32\drivers\Mouslock.sys [2003-03-18 12:16]
R2 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe [2003-03-18 11:40]
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2003-05-22 11:59]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2002-08-29 03:00]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2003-03-10 16:10]
S3 nscmnt;Novell Local Security Context Manager;C:\WINDOWS\System32\drivers\novell\nscmnt.sys [2002-07-12 07:36]
S3 xauthnt;Novell XTier Authentication Service;C:\WINDOWS\System32\drivers\novell\xauthnt.sys [2002-06-17 12:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 19:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 17:37:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\SYSTEM32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-04-20 17:40:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 00:40:46
ComboFix2.txt 2008-04-16 03:45:45

Pre-Run: 30,588,149,760 bytes free
Post-Run: 30,553,161,728 bytes free

162 --- E O F --- 2008-04-16 15:04:58



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:47 PM, on 4/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7380 bytes

 

no wonder you are infected catdrugn, you are browsing the internet with a machine runnin xp sp1 and ie6 which is very dangerous, you can follow the steps that the guys here are giving you but to be honest there you won't get rid of 100$ of the viruses/spyware on the computer so my advice is to back up your important files to a USB Drive, CD, etc, then take some system recovery disks or the Windows install disks and reinstall Windows, once that is done make sure the Windows Firewall is on, and if you have a router that is another firewall which is even better because it is hardware then run windows update till there is no new updates, this may take a ton of reboots but when all that is done download IE7, it is a hell of a lot safer then IE6 also download Mozilla Firefox which in my opinion then get your AV/AntiSpy programs I recommend Nod32 to Pay AVG for Free, and for AntiSpyware Windows Defender, Adaware, and Spybot. Make sure you turn on automatic updates in Windows, and make sure you have a router and the Windows firewall turned on and you should be fine you dont need 3rd party firewalls like Zonealarm they cause more trouble then they are worth.

 

Hey tucker001,

Thanks so much for your inputs. I am aware of him running XP SP1 and I will be asking him to update once I clean up his computer. While your advice is well-intentioned, it can cause confusion to the user asking for help, as they will not know who's advice to follow.

Thanks for your understanding and please do not do so in the future.

 

Hey catdrugn,

Good job, your computer is close to being clean. Just a few more scans and cleanups to do before closing this.

Please follow my instructions closely and ask if you have any doubts.

Ensure that your real time protection is disabled.

1) Fix with HijackThis

Please reopen HijackThis, and click on "Do a system scan only" on Main Menu. Put a check beside the entries below:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx

Close all other browsers/windows including this one, and click "Fix Checked". Close HijackThis.


2) Fix with ComboFix

1. Please open Notepad

[*] Click Start , then Run
[*]Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the quotebox below into the Notepad window:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt
[*]A new HijackThis log.


3) Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select "Perform Quick Scan", then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.[/b]

In your next reply (please include):

Fresh HijackThis log
MBAM scan log
C:\ComboFix.txt
Description of how the computer is performing

Go!

~Ltangel~

 

Ltangel,
I'm almost ready to post the latest logs. The computer is currently running the Malwarebytes scan (I'm currently on my home computer)


Tucker001,
I appreciate the input and am familiar with a lot of your suggestions. For instance, on my own personal computer I have SP2, run a constantly updated anti-virus and spy/malware scanners, I'm behind a software and hardware firewall, and I use Firefox instead of IE (although lately, Firefox seems to have their own security issues).
The computer that Ltangel is helping me with is a work computer belonging to a department I have just begun supervising. 7 different staff use the computer and all are at different experience/knowledge levels. To make things worse, they would commonly visit questionable game and gambling sites and I'm sure would click on things better left unclicked making them responsible for the mess the machine was in. So once things are fixed I'll be restricting access and will make sure all program and Windows updates are consistently complete. Then we'll work on some training and hell, if on-line poker continues to get played at work I may be doing some firing, we'll have to see. Anyway, thanks for the input and making way for Ltangel to finish up with me.

 

Ltangel,
Here are the requested logs:


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:49 PM, on 4/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 6721 bytes



MBAM Scan Log:

Malwarebytes' Anti-Malware 1.11
Database version: 663

Scan type: Quick Scan
Objects scanned: 32792
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 63
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0494d93e-a2bb-4802-865c-a80a53b78107} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0777f4cb-c8d3-4d24-87ae-da072c750ffb} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0d4da0aa-99ab-40b3-9bf7-a9270fbaca46} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{155e990b-c7e9-47fd-a272-acdcb1474232} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17b69d53-cd88-4657-be84-63297b10078e} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{19bbc30a-d722-46ef-a260-e97cf87d4b3b} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e4dda88-df4b-4a51-8efb-acb68370b5e7} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21f92505-0d90-4d8e-89d7-95158d147e00} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2a81c12b-bddf-42aa-98dd-f91a78097e13} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3479c9c8-b7ba-4704-9359-86fe33620c07} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38200d33-6c95-43ed-bb05-aa6e9be57af8} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{49b3f626-1d1b-4018-8ba5-8ccab3fce422} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5183e02d-21d6-4325-8810-191ce7dbfa70} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5319069a-a18e-4a37-98e0-292e949f6302} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{599805b6-6faa-46e6-99e6-5f5425f52fd6} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5db349b9-44c9-469f-909b-1e2a4c200b43} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{737ebf2a-41a0-4c01-8476-30fa38580c03} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76dd8871-d61f-497c-8fb4-1886a73986e0} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{79b9cdad-6160-468b-8c95-47fa426cb081} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7b57f151-f41c-49e1-a83f-8543867d2fea} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{815ff77e-a436-4485-8137-75fbe65eba2d} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90305b36-8d00-48b6-bc2d-ae2131a50f64} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{975b8fb4-a107-4b4c-a811-d3560c5b70b8} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aeebd295-3f93-4745-9208-57ba25305136} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b7ef28d0-1b74-4fad-8226-4c5e0a467106} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1941056-f303-4db8-b014-48b70a2b9048} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d63fc539-120d-4db8-ab0d-cd1eb7c960b9} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dc16bb9b-f6ff-4e4f-85ee-f5b0c94d6d13} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f8af8de8-bf15-4e9f-8601-f0985a1e8759} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a521ac73-b0b9-48a4-82c2-454156af0e26} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a697b7c-1f9a-4428-a35f-d67d3a7fb403} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e7a2f4c-1b67-43f2-8839-1a5313f39fab} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21785954-f667-4e24-aa93-3e96dbf87088} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2aa95d12-cdba-44ce-abb7-14f35fe213c9} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2c5638f8-9943-412e-bdaa-729df3caf9f2} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{387dd594-eca5-4053-b43e-49125a188d0f} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4fd6fe10-7424-4347-9527-b47ec1e5a5bb} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{536c1ae5-9000-4349-bdf4-ba9489d68ea1} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{566a294b-d4a3-447e-9bc7-c1ad9d4dab68} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{597e9862-08f9-48e8-b2fa-a59bf7b53791} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6b22978e-f8a5-437b-8f35-8010d0173441} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6b3b803b-ec5b-4e8b-b3d5-a9f6e0418565} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{70c1cc74-496c-42ce-acb4-768407d505ce} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{71d71cd3-3ade-409a-92e9-760def7e73ae} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{722c97fb-2966-424d-9432-fb0ae9275dd2} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72b1c0d3-3957-453a-8f48-48cb854a569e} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{73766aaa-d49b-4fea-a46b-b288b97a91df} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7ebc5c68-c80a-41b2-bd12-0d51a3efd683} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{87da8e65-15bc-4b5d-8a7d-649f81a4003b} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8bfed1cd-14f8-497d-90f1-bada7d1e7f4e} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8df45a28-2cf7-4175-ac04-ce45d26b7d0b} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9ada0fb8-1133-4c07-a46e-eaa8b6982727} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9e809c16-5c6e-47e9-a58e-3d8cecaac5fe} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a5357862-4be9-4eeb-af92-02efd2a2a8a8} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b6ae969b-8eb6-4173-a696-ca39a0a50165} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ca243c53-890c-4e0e-ba24-6c01431993b3} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cea21171-37d9-48c1-bc42-466071222381} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{db0c739d-8790-4a6b-9f9f-de43c08a6e23} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec66f0db-f509-42c8-b0f3-92eaf64affad} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{31ce147e-178c-4c35-9520-319db1143a2f} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\TrustedAntivirus (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\TrustedAntivirus\AVQuar (Rogue.TrustedProtection) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\gwldo132.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.



ComboFix Log:

ComboFix 08-04-20.2 - Administrator 2008-04-20 20:20:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.295 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\13.tmp
C:\15.tmp
C:\1F.tmp
C:\20.tmp
C:\21.tmp
C:\delself.bat
C:\dgfus.exe
C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
C:\Documents and Settings\valor\win.exe
C:\ihso.exe
C:\opgr.exe
C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\VCCLSID.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\13.tmp
C:\15.tmp
C:\1F.tmp
C:\20.tmp
C:\21.tmp
C:\delself.bat
C:\dgfus.exe
C:\Documents and Settings\Administrator\Application Data\spy-rid.com
C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com


The computer appears to be running just fine. There are no windows popping up from no where, it is no longer sluggish and seems to be performing quite fast. I am experiencing no problems what-so-ever.

Question: As I mentioned in a previous post, several staff have been using this computer and have different log-ins. I've completed all of your fixes while logged in under Admin. Do the fixes apply to all other log-ins as well?

 

Hey catdrugn,

Regarding your question, it will depend on how many different accounts you have. There are some infections in the Registry that only apply to the current account you are logged in, there are others which apply to the whole computer (whatever account), I am only fixing whatever infection is present on your current account and those that are present in all the accounts (by viewing it from your current account). If you have a feeling that the other accounts are also infected, feel free to let me take a look at them.

Good to hear that your computer is performing well, I will however need to see the whole ComboFix log. You only posted part of it.

~Ltangel~

 

Sorry about the partial log. Here's the complete log:

ComboFix 08-04-20.2 - Administrator 2008-04-20 20:20:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.295 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\13.tmp
C:\15.tmp
C:\1F.tmp
C:\20.tmp
C:\21.tmp
C:\delself.bat
C:\dgfus.exe
C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
C:\Documents and Settings\valor\win.exe
C:\ihso.exe
C:\opgr.exe
C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\VCCLSID.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\13.tmp
C:\15.tmp
C:\1F.tmp
C:\20.tmp
C:\21.tmp
C:\delself.bat
C:\dgfus.exe
C:\Documents and Settings\Administrator\Application Data\spy-rid.com
C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com
C:\Documents and Settings\valor\Application Data\TrustedAntivirus
C:\Documents and Settings\valor\Application Data\TrustedAntivirus\Logs\threats.log
C:\Documents and Settings\valor\Application Data\TrustedAntivirus\Logs\update.log
C:\Documents and Settings\valor\Application Data\TrustedAntivirus\PGE.dat
C:\Documents and Settings\valor\win.exe
C:\ihso.exe
C:\opgr.exe
C:\Program Files\DivX
C:\Program Files\DivX\dfx.ico
C:\Program Files\DivX\divxauthor.ico
C:\Program Files\DivX\divxdotcom.ico
C:\Program Files\DivX\divxFolder.ico
C:\Program Files\DivX\stage6divxdotcom.ico
C:\Program Files\EasySpywareCleaner
C:\Program Files\PartyGaming
C:\Program Files\PartyGaming\PartyPoker\Images\system_but_bingo.jpg
C:\Program Files\PartyGaming\PartyPoker\Images\system_but_gammon.jpg
C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\10178.atc
C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\2.html
C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\4.html
C:\Program Files\PartyGaming\PartyPoker\Notes.txt
C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe
C:\Program Files\PartyGaming\PartyPoker\usertab.txt
C:\Program Files\Spy-Rid
C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\VCCLSID.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-19 07:59 . 2008-04-19 07:59 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-04-19 07:45 . 2008-04-19 07:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-16 08:12 . 2008-04-16 08:12 1,018,520 --a------ C:\fsbl.exe
2008-04-08 13:53 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-08 13:53 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-08 13:53 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-08 13:53 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-08 13:53 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-08 13:53 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-08 13:17 . 2008-04-08 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 10:30 . 2008-04-08 15:04 481 --a------ C:\WINDOWS\wininit.ini
2008-04-08 09:49 . 2008-04-08 09:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 09:49 . 2008-04-08 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 09:46 . 2008-04-08 09:46 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-04-08 09:46 . 2008-04-08 09:46 114,688 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-04-08 09:46 . 2008-04-08 09:46 40,960 --a------ C:\WINDOWS\SYSTEM32\zentray.exe
2008-04-08 09:46 . 2008-04-08 09:46 28,672 --a------ C:\WINDOWS\SYSTEM32\dpmw32.exe
2008-03-21 00:59 . 2008-03-21 00:59 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-21 00:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-21 00:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 17:35 --------- d-----w C:\Program Files\QuickTime
2008-03-18 00:30 96,000 ----a-w C:\WINDOWS\SYSTEM32\AVTAP.dll
2008-03-09 03:05 --------- d-----w C:\Program Files\Java
2008-02-12 20:46 3,113,024 ----a-w C:\Program Files\ica32t.exe
2007-07-16 17:31 18,164,640 ----a-w C:\Program Files\aaw2007.exe
2006-12-07 16:28 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
.
Files Infected - Win32.Agent.zb
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-20_17.40.37.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-21 00:37:21 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-21 03:22:45 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-04-21 00:37:24 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-04-21 03:22:48 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-04-21 00:37:24 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-04-21 03:22:48 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-04-21 00:37:24 114,688 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-04-21 03:22:48 114,688 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-04-08 09:46 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-04-08 09:46 114688]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-08 09:46 135251]
"NDPS"="C:\WINDOWS\System32\dpmw32.exe" [2008-04-08 09:46 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-04-08 09:46 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-04-08 09:46 286720]
"NWTRAY"="NWTRAY.EXE" [2001-12-18 10:24 28672 C:\WINDOWS\SYSTEM32\nwtray.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7581"="command /c del C:\WINDOWS\SYSTEM32\wsnpoem\video.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"ForceActiveDesktopOn"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\Program Files\Novell\ZENworks\NalExpEx.dll [2003-05-05 18:34 131072]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim61.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 02:52]
R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 02:31]
R2 BlankScr;HBDevice;C:\WINDOWS\System32\drivers\BlankScr.sys [2003-03-18 15:26]
R2 Kblock;Kblock;C:\WINDOWS\System32\drivers\Kblock.sys [2003-03-18 12:16]
R2 Mouslock;Mouslock;C:\WINDOWS\System32\drivers\Mouslock.sys [2003-03-18 12:16]
R2 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe [2003-03-18 11:40]
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2003-05-22 11:59]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2002-08-29 03:00]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2003-03-10 16:10]
S3 nscmnt;Novell Local Security Context Manager;C:\WINDOWS\System32\drivers\novell\nscmnt.sys [2002-07-12 07:36]
S3 xauthnt;Novell XTier Authentication Service;C:\WINDOWS\System32\drivers\novell\xauthnt.sys [2002-06-17 12:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 19:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 20:23:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP.NEW 5696 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\SYSTEM32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-04-20 20:26:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 03:26:13
ComboFix2.txt 2008-04-21 00:40:50
ComboFix3.txt 2008-04-16 03:45:45

Pre-Run: 30,497,763,328 bytes free
Post-Run: 30,482,485,248 bytes free

203 --- E O F --- 2008-04-16 15:04:58

 

Hey catdrugn,

Just a few more steps and we'll done.

1) Move malicious files with OTMoveIt2

[*] Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP.NEW

[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


2) Do an online scan with Panda Active

Please go HERE to run Panda's TotalScan
[*]Select the bubble for Full scan
[*]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
[*]Then the scan will begin
[*]When the scan completes, click the Save button on the right of Scan details
[*]Save it to a convenient location. Post the contents of the TotalScan report


3) Clean your temporary files with ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  Click Exit on the Main menu to close the program.
  For Technical Support, double-click the e-mail address located at the bottom of each menu.
  
  In your next reply (please include):
  
  Fresh HijackThis log
  OTMoveIt2 log
  Panda Totalscan log
  
  Go!
  
  ~Ltangel~

 

Hi Ltangel,

Here are the three logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:09 PM, on 4/22/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} -
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 6902 bytes

---------------------------------------------------------------------

File/Folder c:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP.NEW not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04222008_151850

---------------------------------------------------------------------

ANALYSIS: 2008-04-22 15:13:37
PROTECTIONS: 1
MALWARE: 31
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Enterprise 7.1.0.187 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@atdmt[3].txt
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Administrator\Desktop\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\SYSTEM32\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@fastclick[3].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@mediaplex[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@revenue[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@xiti[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@ad.yieldmanager[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@burstnet[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@bs.serving-sys[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@zedo[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@zedo[3].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@bluestreak[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\valor1\Cookies\valor1@go[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@searchportal.information[1].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Nimbus\Cookies\nimbus@ehg-dig.hitbox[2].txt
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\restart.exe
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP4\A0000730.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP5\A0000856.EXE
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP4\A0000661.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP5\A0000787.sys
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\PROGRAM FILES\JAVA\JRE1.6.0_05\BIN\JUSCHED.EXE
02895262 W32/PatchLog.P Virus No 0 Yes No C:\WINDOWS\SYSTEM32\IGFXTRAY.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\WINDOWS\SYSTEM32\HKCMD.EXE
02895262 W32/PatchLog.P Virus Yes 0 Yes No C:\WINDOWS\SYSTEM32\DPMW32.EXE
02895262 W32/PatchLog.P Virus No 0 Yes No C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
02895262 W32/PatchLog.P Virus No 0 Yes No C:\WINDOWS\SYSTEM32\zentray.exe
02908218 Trj/Downloader.TBL Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\C\ihso.exe.vir
02908218 Trj/Downloader.TBL Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP5\A0000776.exe
02921939 Application/AntivirusPro Spyware No 0 Yes No C:\quarantine\AntiVirusPro.exe.Vir
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Will await your reply. Thank you!

 

Hey catdrugn,

Some final steps to do, please follow them in the order I've given you.

1) Fix entries with HijackThis

Please reopen HijackThis and do a system scan only. Put a check next to the following entry:

O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} -

Click "Fix Checked" and close HijackThis.

2) Update your Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:

* Download the latest version of Java here.
* Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java (they begin with "J2SE Runtime Environment...").
* It may prompt you to reboot once you have removed previous versions, please click "Yes" if the prompt comes up.
* Finally, install the latest version of Java you have downloaded earlier.

3) Upgrading to Windows XP SP2

From your log, you are using Windows XP SP1. The latest and most secure version is Windows XP SP2. It is CRUCIAL that you update to SP2 so as to patch the security vulnerabilities in SP1 as it is very likely that you will get infected again without it!

Please upgrade to SP2 NOW! You can download it here.

Please tell me how the update with SP2 went, as an unsuccessful update may indicate that there are other malware on the computer.

In your next reply (please include):

A fresh HijackThis log
Description of how your computer is running and about SP2 update

Go!

~Ltangel~

 

Hi Ltangel,

Here's the fresh HiJack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:51 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 6803 bytes


The SP2 update went smoothly, no complications at all. The Java update was completed as well. Under the Admin log-in the computer seems to be operating very well! Acts like a new machine. I haven't yet checked performance under any of the other log-ins yet, will wait for your input.

Ltangel, you have been absolutely wonderful and professional through this whole process. I manage group homes for abused and neglected kids for a large non-profit. Thanks to your help I can get things back on line at one of the boy's houses - you really did a nice thing here. Thank you!

 

Hey catdrugn,

Thanks for your compliments and it's great to hear that your computer is performing well. I am honoured to be able to assist you.

However, the following files need to be replaced since they were previously infected and may become corrupt:

C:\WINDOWS\System32\igfxtray.exe (Intel Graphics)
C:\WINDOWS\System32\hkcmd.exe (Intel Hotkey)
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (McAfee Enterprise 7.0)
C:\WINDOWS\System32\dpmw32.exe (Novell Netware Client)
C:\Program Files\QuickTime\QTTask.exe (Quicktime)

I would advise you to reinstall the programs affected to replace the infected files.

With your computer cleaned and updated to SP2, there are only a few more steps to closing this.

1) Reset your System Restore Points

Please do the following:

Please right click on My Computer, select "Properties". Then in "System Properties" window, select the "System Restore" tab.

Clean existing Restore Points
* Put a check next to "Turn off System Restore on all drives". Click Apply. Click Yes when prompted. (Please wait for a moment to complete the cleaning process)

Set new Restore Points
* Uncheck "Turn off System Restore on all drives". Click Apply. Click Yes when prompted. (Please wait for a moment to complete the reset process)

2) Configure Automatic Updates

Next, let's configure Automatic Updates to ensure that the computer gets notification of the latest security updates and patches.

In "System Properties" window, select the "Automatic Updates" tab. Choose any of the available options except "Turn off Automatic Updates", as turning it off can open your system to future infections that may be caused by an unpatched security vunerability.

------------------------------------------------------------------------------------------------------------------------------
Now that your log is fine, I have some recommended downloads for you. Please have a look at them and decide for yourself what you would like to use as protection for your system. After you have chosen the protection softwares you want to download, please ensure that automatic updating is activated so that you can get the latest updates for these softwares.

[*]Spybot Search & Destroy - An excellent and free anti-spyware software with Immunize functionability that will help prevent future infections. PGPhantom has written a very comprehensive instruction set for Spybot, available here.

[*]SpywareBlaster - A wonderful prevention tool to protect yourself from installation of malicious codes. SpywareBlaster tutorial (by Grinler) is available here.

[*]IE-SpyAd - It puts over 5000 sites in your restricted zone and protect your Internet browser from being redirected to a malicious site. Lawrence Abrams has written an excellent tutorial about IE-SpyAd here.

Special Note: It is vital to know that you should only have ONE anti-spyware resident protection and ONE anti-virus resident protection running. Running more than one resident protection can slow down your system and cause conflicts between the protection softwares. Exceptions are Spywareblaster and IE-SpyAd which can be used with any other protection softwares.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

LT

 

Hi Ltangel,

I've completed the se point process, set up automatic updates and installed Spybot S&D, Lavasoft Adaware, and AVG.

A few questions:

Shall I leave the various programs that we installed on the computer or un-install them?

Shall I run a HJT log under the log-in that the staff will be using to make sure it's clean as well?

 

Hey catdrugn,

Sorry for the late reply, been tied down with school work all these while. I would advise you to remove the tools with OTMoveIt2.

Open OTMoveIt2, click on the Cleanup! button and click "Yes" at the prompt. After completing the cleanup, reboot your computer.

You can let me look at the logs from the other accounts.

~Ltangel~

 

I would suggest putting staff accounts as limited users, and using Microsoft's new free program Windows Steady State.

 

Hi tucker,
That sounds like an excellent suggestion. I was planning on changing their account from "administrator" to "limited" but Windows Steady State looks like it will restrict their options even further. Thanks!


Hi ltangel,
Here's the HJT log from the other account:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:35 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>;<local>
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mds.exe] indows\system32\mds.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7249 bytes

Thank you!

 

You can also sett Windows Steady State up so that if someone downloads a bunch of crap and there's malware etc in it, once you reboot the computer everything he/she did before is gone