Options

Virus Troubles - Me Clueless

Unknown
edited September 2008 in Spyware & Virus Removal
I have been battling an infected XP system for about a week and a half now. AVG Free and Spybot have been detecting and cleaning trojan horses all over the place. But they keep coming back. An example:

testResults.png


Here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:41 PM, on 13/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
C:\WINDOWS\system32\CAP2RSK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP2SWK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DaveRogers\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Rmn plugin - {D21D9540-6415-4288-BDD0-4453088D9D38} - smb32.dll (file missing)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [CAP2ON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [wekewfjo983mkefdd] C:\DOCUME~1\DAVERO~1\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [wekewfjo983mkefdd] C:\DOCUME~1\DAVERO~1\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\DAVERO~1\LOCALS~1\Temp\csrssc.exe
O4 - HKLM\..\Policies\Explorer\Run: [ctfmom] C:\WINDOWS\system32\ctfnom.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Canon LASER SHOT LBP-1210 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202515759828
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: fhslem - fhslem.dll (file missing)
O22 - SharedTaskScheduler: werkjdnfi8wnkjmdfdfkefn - {C5AF49A2-94F3-42BD-F434-3604812C897D} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

--
End of file - 9336 bytes
Here is the Panda report:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-09-13 15:58:24
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG 7.5.524 7.5.524 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
03624734 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\Nbi15.sys
03624734 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{A6779B7B-4BC9-4EF7-8276-0F2142FE09CA}\RP5\A0000056.sys
03625229 Trj/RootkitDropper.H Virus/Trojan No 0 Yes No C:\WINDOWS\Temp\BN6.tmp
;===================================================================================================================================================================================
SUSPECTS
Sent Location sˍ
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description sˍ
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Here is the Kasperkys report:
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 13, 2008 04:53:20
Records in database: 1220583

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 414403
Threat name: 9
Infected objects: 140
Suspicious objects: 440
Duration of the scan: 07:01:46


File name / Threat name / Threats count
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Inbox Infected: Trojan-Spy.HTML.Paylap.cb 2
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 24
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.cb 6
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.ad 1
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.fg 1
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.j 2
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 62
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.o 1
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.ad 3
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.cb 10
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.m 1
C:\Documents and Settings\DaveRogers\Application Data\Thunderbird\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.fg 1
D:\Dave\Misc\vnc-3_3_3r7_x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
D:\RECYCLER\S-1-5-21-1123561945-1957994488-839522115-1003\Dd164.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
G:\DBackup\Dave\Misc\vnc-3_3_3r7_x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
G:\DBackup\RECYCLER\S-1-5-21-1123561945-1957994488-839522115-1003\Dd164.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Inbox Infected: Trojan-Spy.HTML.Paylap.cb 2
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 21
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.cb 6
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.ad 1
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.fg 1
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.j 2
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 58
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.o 1
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.ad 3
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.cb 8
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.m 1
G:\RECYCLER\S-1-5-21-1275210071-1482476501-682003330-1003\Dg5\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.fg 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Inbox Infected: Trojan-Spy.HTML.Paylap.cb 2
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 21
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.cb 6
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.ad 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.fg 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.j 2
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 58
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.o 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.ad 3
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.cb 8
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.m 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg139\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.fg 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Inbox Infected: Trojan-Spy.HTML.Paylap.cb 2
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 4
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 24
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.cb 6
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.ad 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.fg 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.j 2
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 62
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.o 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.ad 3
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.cb 10
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.m 1
G:\RECYCLER\S-1-5-21-854245398-1409082233-1801674531-1003\Dg172\Profiles\vpc0ec9s.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.fg 1
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Inbox Infected: Trojan-Spy.HTML.Paylap.cb 2
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 4
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 24
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.cb 6
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.ad 1
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Junk Infected: Trojan-Spy.HTML.Paylap.fg 1
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.j 2
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 62
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Amazofraud.o 1
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.ad 3
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.cb 10
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.m 1
G:\TBirdBackup\Profiles\a5ct8kll.default\Mail\mail.internetguruhos-1.net\Trash Infected: Trojan-Spy.HTML.Paylap.fg 1

The selected area was scanned.
Any help in cleaning up my mess will be very much appreciated!

Comments

  • chiazchiaz
    edited September 2008
    Hello, and welcome. :)

    Please download Malwarebytes' Anti-Malware by clicking the link below:
    http://www.besttechie.net/tools/mbam-setup.exe

    Double Click mbam-setup.exe to install the application.

    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * You'll be required to post the contents of this log later.

    Please Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


    ==============================================


    Ok. Let's have you download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

    Go here ======> A guide and tutorial on using ComboFix <====== Go here

    Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should get a prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    (2) Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review (copy and paste them, not attach), so that we may continue cleansing the system:

    MBAM log
    C:\ComboFix.txt
    New HijackThis log

    Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
  • onefootswill
    edited September 2008
    OK Great. Here are the logs:
    MBAM:
    Malwarebytes' Anti-Malware 1.28
    Database version: 1160
    Windows 5.1.2600 Service Pack 3

    16/09/2008 10:49:40 PM
    mbam-log-2008-09-16 (22-49-40).txt

    Scan type: Quick Scan
    Objects scanned: 52286
    Time elapsed: 6 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{d21d9540-6415-4288-bdd0-4453088d9d38} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d21d9540-6415-4288-bdd0-4453088d9d38} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\smb32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\pns32.dll (Spyware.Banker) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\phcrf7j0ev9l.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\alog.txt (Stolen.Data) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    ComboFix:
    ComboFix 08-09-15.02 - DaveRogers 2008-09-16 23:35:24.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.378 [GMT 10:00]
    Running from: C:\Documents and Settings\DaveRogers\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\AutoRun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    \Legacy_SYSREST.SYS
    \Service_sysrest.sys


    ((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
    .

    2008-09-16 22:30 . 2008-09-16 22:36 <DIR> d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-16 22:30 . 2008-09-16 22:30 <DIR> d
    C:\Documents and Settings\DaveRogers\Application Data\Malwarebytes
    2008-09-16 22:30 . 2008-09-16 22:30 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-16 22:30 . 2008-09-10 00:04 38,528 --a
    C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-16 22:30 . 2008-09-10 00:03 17,200 --a
    C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-14 22:16 . 2008-09-14 22:16 11,000 --a
    C:\someFile.jpg
    2008-09-14 18:51 . 2008-09-14 18:51 1,775 --a
    C:\ITempConverterserviceInterfaces.cs
    2008-09-13 23:56 . 2008-09-13 23:56 208 --a
    C:\WINDOWS\system32\MRT.INI
    2008-09-13 15:59 . 2008-09-13 16:00 <DIR> d
    C:\Program Files\SpywareBlaster
    2008-09-13 15:59 . 2008-09-13 16:03 <DIR> d-a
    C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-13 12:36 . 2008-09-13 12:36 <DIR> d
    C:\Program Files\Panda Security
    2008-09-13 12:36 . 2008-06-19 17:24 28,544 --a
    C:\WINDOWS\system32\drivers\pavboot.sys
    2008-09-13 11:11 . 2008-09-13 11:11 <DIR> d
    C:\Program Files\Lavasoft
    2008-09-13 11:11 . 2008-09-13 11:12 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-13 11:10 . 2008-09-13 11:10 <DIR> d
    C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-31 11:02 . 2008-08-31 11:05 <DIR> d
    C:\Program Files\Spybot - Search & Destroy
    2008-08-31 11:02 . 2008-08-31 12:16 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-30 19:02 . 2008-08-30 19:02 <DIR> d--h
    C:\WINDOWS\system32\GroupPolicy
    2008-08-29 07:20 . 2008-08-29 07:20 0 -rahs---- C:\ctf
    2008-08-27 06:53 . 2008-09-13 23:56 32,256 --a
    C:\WINDOWS\system32\drivers\Nbi15.sys
    2008-08-26 19:04 . 2008-08-26 19:04 <DIR> d
    C:\Documents and Settings\DaveRogers\Application Data\MonetDB4
    2008-08-26 19:02 . 2008-08-26 19:02 <DIR> d
    C:\Program Files\CWI
    2008-08-26 18:53 . 2008-09-13 10:50 <DIR> dr-h
    C:\$VAULT$.AVG
    2008-08-24 16:36 . 2001-09-12 02:21 98,304 --a
    C:\WINDOWS\system32\tsccvid.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-16 07:55
    d
    w C:\Documents and Settings\DaveRogers\Application Data\AVG7
    2008-09-15 09:02
    d
    w C:\Program Files\Mozilla Thunderbird
    2008-09-13 13:55
    d
    w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-09-13 01:07
    d
    w C:\Documents and Settings\DaveRogers\Application Data\gtk-2.0
    2008-08-29 10:25
    d
    w C:\Documents and Settings\All Users\Application Data\avg7
    2008-08-09 02:21 32,136 ----a-w C:\Documents and Settings\DaveRogers\Application Data\GDIPFONTCACHEV1.DAT
    2008-08-07 09:24
    d
    w C:\Program Files\glassfish-v2ur2
    2008-08-07 03:41
    d
    w C:\Program Files\Java
    2008-08-06 23:56
    d
    w C:\Documents and Settings\DaveRogers\Application Data\ImgBurn
    2008-08-06 23:48
    d
    w C:\Program Files\ImgBurn
    2008-08-06 21:29
    d
    w C:\Program Files\Apache Software Foundation
    2008-08-02 01:09
    d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-01 14:20
    d
    w C:\Program Files\Trolltech
    2008-08-01 00:00
    d
    w C:\Program Files\cSharp Audio Player
    2008-07-31 06:16
    d
    w C:\Documents and Settings\DaveRogers\Application Data\LimeWire
    2008-07-30 23:03
    d
    w C:\Program Files\Inkscape
    2008-07-30 22:52
    d
    w C:\Program Files\Common Files\InstallShield
    2008-07-29 06:39
    d
    w C:\Documents and Settings\DaveRogers\Application Data\Inkscape
    2008-07-26 12:09
    d
    w C:\Program Files\BASS.NET
    2008-07-26 12:09
    d
    w C:\Documents and Settings\DaveRogers\Application Data\BASS.NET
    2008-07-26 01:39
    d
    w C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
    2008-07-26 01:34
    d
    w C:\Program Files\MSBuild
    2008-07-26 01:34
    d
    w C:\Program Files\HTML Help Workshop
    2008-07-26 01:28
    d
    w C:\Program Files\Common Files\Merge Modules
    2008-07-26 01:25
    d
    w C:\Program Files\Common Files\Business Objects
    2008-07-26 01:24
    d
    w C:\Program Files\CE Remote Tools
    2008-07-26 01:24
    d
    w C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
    2008-07-26 00:04
    d
    w C:\Program Files\Microsoft Visual Studio 8
    2008-07-25 07:12
    d
    w C:\Documents and Settings\DaveRogers\Application Data\QDevelop
    2008-07-21 23:41
    d
    w C:\Program Files\LimeWire
    2008-07-20 08:58
    d
    w C:\Program Files\DVD Shrink
    2008-07-20 08:58
    d
    w C:\Documents and Settings\All Users\Application Data\DVD Shrink
    2008-07-20 08:53
    d
    w C:\Program Files\The GodFather
    2008-07-18 23:45
    d
    w C:\Program Files\Microsoft SQL Server
    2008-07-18 09:29
    d
    w C:\Documents and Settings\DaveRogers\Application Data\SQLite Administrator
    2008-07-16 23:49
    d
    w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2008-07-16 23:15
    d
    w C:\Program Files\MSXML 6.0
    2008-07-16 11:44
    d
    w C:\Documents and Settings\DaveRogers\Application Data\MySQL
    2008-07-16 07:59
    d
    w C:\Program Files\iriver
    2008-07-16 05:56
    d
    w C:\Program Files\Microsoft.NET
    2008-07-16 05:52
    d
    w C:\Program Files\Microsoft Device Emulator
    2008-07-16 02:31
    d
    w C:\Documents and Settings\DaveRogers\Application Data\uTorrent
    2008-07-16 01:02
    d
    w C:\Program Files\uTorrent
    2008-07-16 01:00
    d
    w C:\Program Files\foobar2000
    2008-06-29 23:59 823,296 ----a-w C:\WINDOWS\j3dcore-d3d.dll
    2008-06-29 23:59 49,152 ----a-w C:\WINDOWS\j3dcore-ogl-chk.dll
    2008-06-29 23:59 40,960 ----a-w C:\WINDOWS\j3dcore-ogl-cg.dll
    2008-06-29 23:59 163,840 ----a-w C:\WINDOWS\j3dcore-ogl.dll
    2008-02-09 01:56 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2005-03-31 12:17 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-04-15 1291264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellTouch"="C:\WINDOWS\MMKeybd.exe" [2002-01-16 163840]
    "CAP2ON"="C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN.EXE" [2003-04-17 22528]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-30 344064]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-07-14 579584]
    "DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2004-10-04 176216]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
    "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
    "MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 45056]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-09 29744]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "TraySantaCruz"="C:\WINDOWS\system32\tbctray.exe" [2002-04-04 290816]
    "P17Helper"="P17.dll" [2005-05-03 C:\WINDOWS\system32\P17.dll]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 219136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Canon LASER SHOT LBP-1210 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE [2003-04-17 30720]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nbi15.sys]
    @=&quot;Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qrm13.sys]
    @=&quot;Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\WINDOWS\\system32\\mmc.exe"=
    "C:\\Program Files\\Java\\jdk1.6.0_07\\bin\\java.exe"=
    "C:\\Program Files\\Java\\jdk1.6.0_07\\jre\\bin\\java.exe"=
    "C:\\Program Files\\CWI\\MonetDB4\\bin\\Mserver.exe"=

    R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
    R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2002-01-16 28672]
    R2 RapidPort2;RapidPort2;C:\WINDOWS\system32\Drivers\CAP2LPT.SYS [2003-04-17 23232]
    R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2002-01-16 6656]
    S0 Nbi15;Nbi15;C:\WINDOWS\system32\Drivers\Nbi15.sys [2008-09-13 32256]
    S0 Qrm13;Qrm13;C:\WINDOWS\system32\Drivers\Qrm13.sys [ ]
    S1 943a0045;943a0045;C:\WINDOWS\system32\drivers\943a0045.sys [ ]
    S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 24635]
    S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-09 29744]
    S3 restore;restore;C:\WINDOWS\system32\drivers\restore.sys [ ]
    S3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2002-04-04 144768]
    S3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2002-04-04 545088]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;G:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{add44d14-52fa-11dd-a6a5-0007e9bf9acc}]
    \Shell\AutoRun\command - J:\xuvbvv.exe
    \Shell\explore\Command - J:\xuvbvv.exe
    \Shell\open\Command - J:\xuvbvv.exe
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Explorer_Run-ctfmom - C:\WINDOWS\system32\ctfnom.exe
    Notify-fhslem - fhslem.dll


    .
    Supplementary Scan
    .
    FireFox -: Profile - C:\Documents and Settings\DaveRogers\Application Data\Mozilla\Firefox\Profiles\q26glbud.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-16 23:39:30
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    Other Running Processes
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\CAP2RSK.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2SWK.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\ComboFix\pv.cfexe
    .
    **************************************************************************
    .
    Completion time: 2008-09-16 23:42:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-16 13:42:41

    Pre-Run: 6,698,676,224 bytes free
    Post-Run: 6,669,266,944 bytes free

    218 --- E O F --- 2008-09-13 13:57:12
    HijackThis:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:49:59 PM, on 16/09/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\MMKeybd.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\CAP2RSK.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP2SWK.EXE
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\tbctray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\DaveRogers\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
    O4 - HKLM\..\Run: [CAP2ON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN.EXE
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Canon LASER SHOT LBP-1210 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202515759828
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

    --
    End of file - 8321 bytes
  • chiazchiaz
    edited September 2008
    Looks like MBAM and ComboFix have done the job. How's your computer running now?
  • onefootswill
    edited September 2008
    AVG found another infection (and cleaned it). But I've been there before. I'm sure there's still more lurking.
  • chiazchiaz
    edited September 2008
    Please go HERE to run Panda ActiveScan 2.0
    • Click the big green Scan now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • Once the scan is completed, please hit the notepad icon next to the text Export to:
    • Save it to a convenient location such as your Desktop
    • Post the contents of the ActiveScan.txt in your next reply
  • onefootswill
    edited September 2008
    I'll have to leave that scan run overnight. It's quite late here and nowhere near done.
    Will post log in the morning.
  • onefootswill
    edited September 2008
    The scan stated that my machine is not infected.
  • chiazchiaz
    edited September 2008
    Your computer appears to be clean now. Is everything running fine?
  • onefootswill
    edited September 2008
    Seems to be working fine now.
    Thank you very much for your help.
  • chiazchiaz
    edited September 2008
    Go to :
    Start > Run then copy and paste the following highlighted text below into the box and click OK.

    ComboFix /u

    CF_Cleanup.png



    Glad we could be of assistance! The help you received here was free.

    This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

    If you are not the user who started this thread, you must start your own Thread instead :)
    _______________________________
    Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.
Sign In or Register to comment.