# Winavxx.exe and its associates...



## Slaine_Mac_Roth (Aug 16, 2007)

Hi all

I found this site while searching for a solution to what seems to be a growing issue. Somewhere along the way I picked up a malware infection yesterday evening. I notice everyone seems to use hijackthis to add a log file to their post. I will be downloading and setting this up, but I thought I would start the post first with the situation so far. I have been able to remove some of the issues, but others are more stubborn. Also I don't seem to be experiencing the full symptoms, i.e. Task Manager has not been disabvled, but Control Panel has. I have isolated the machine from the internet and I am using my sons machine in their bedroom to search for the solution. I have typed up everything I have experienced so far and have included it in the body of this post below. In the meantime I will find Hijackthis, download it and copy to my machine.

*Malware attack 15/07/07 Winavxx.exe*

First noticed something was wrong when a yellow triangle with an exclamation mark appeared in the taskbar. A popup said the PC was infected with malware and gave a website to get software to remove it. On right clicking the Winavxx.exe icon in the taskbar to attempt to remove it, Internet Explorer was opened and tried to connect to the internet… I have Sygate Personal Firewall set to ask permission for all apps not personally opened by myself, so when Sygate asked if I would allow this action I declined. The resulting hijacking report showed the source as C:\WINDOWS\system32\WinAvXX.exe

I also noticed that when I used Google to search for info on winavxx.exe the links were redirected to dodgy advertising sites. At this point I set Sygate Personal Firewall to block all traffic.

At first I thought I might need to disable 'messenger' in 'services.msc', but when 'services.msc' was run 'messenger' was already disabled.

I then used the following software to scan the system:

*Autoruns*

Scan results: Autorun entry: WinAVX Descrip[tion: None Publisher: None 
Image Path: C:\WINDOWS\system32\WinAvXX.exe

After using 'Autoruns' I tried to remove Winavxx from the Taskbar and C:\Windows\System32, but as it was running this command was refused. I used Ctrl + Alt + Del to end the Winavxx.exe process and then deleted the file from the Taskbar and C:\Windows\System32.

*Lavasoft/Adaware*

Quarantined Infections
===========================
Root: HKCR Path: iehlprobj.iehlprobj belonging to Adware.IEHlpr
Root: HKCR Path: iehlprobj.iehlprobj.1 belonging to Adware.IEHlpr
Root: HKCR Path: iehlprobj.iehlprobj, Belonging to Adware.IEHlpr
Root: HKCR Path: iehlprobj.iehlprobj.1, Belonging to Adware.IEHlpr

*McAfee*

15/08/2007	21:54	Scan Started	LOUNGE\Pete	On-Demand Scan
15/08/2007	21:55	Scan Error	LOUNGE\Pete	Could not find a diskette in drive A:\.
15/08/2007	21:55	Scan Error	LOUNGE\Pete	Could not find a disk in the removable drive D:\.
15/08/2007	21:55	Scan Error	LOUNGE\Pete	Could not find a disk in the removable drive E:\.
15/08/2007	22:20	Infected LOUNGE\Pete	C:\Documents and Settings\Pete\Start Menu\Programs\Startup\system.exe	New Malware.j (Trojan) (No Remover Available)
15/08/2007	22:20	Clean Error	LOUNGE\Pete	C:\Documents and Settings\Pete\Start Menu\Programs\Startup\system.exe	New Malware.j (Trojan) (No Remover Available)
15/08/2007	22:20	Moved	LOUNGE\Pete	C:\Documents and Settings\Pete\Start Menu\Programs\Startup\system.exe	C:\QUARANTINE\system.exe
15/08/2007	23:04	Infected	LOUNGE\Pete	C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts	QHosts-54 (Trojan) (Removable)
15/08/2007	23:04	Deleted	LOUNGE\Pete	C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts	File was deleted as part of Cleaning it
15/08/2007	23:05	Scan Summary	LOUNGE\Pete	Scan Summary (Regular Scanning)
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Boot sectors scanned : 1
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Boot sectors infected : 0
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Boot sectors cleaned : 0
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Files scanned : 170653
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Files infected : 2
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Files cleaned : 0
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Files deleted : 1
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Files moved : 1
15/08/2007	23:05	Scan Summary	LOUNGE\Pete	Scan Summary (Memory Scanning)
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Files scanned : 44
15/08/2007	23:05	Scan Summary	LOUNGE\Pete Files infected : 0
15/08/2007	23:05	Scan Complete	LOUNGE\Pete	On-Demand Scan

Re scanned with 'Autoruns' which found that WinAVX had respawned but could not find its root:

WinAVX File not found: C:\WINDOWS\system32\WinAvXX.exe

I connected to internet via a different machine to search Tech sites for solutions. There were several mentions of Winavxx.exe, stating that this was a recent malware discovery, but no solutions seemed to be available at this time. A more detailed search will be carried out on 16/07/07. Another interesting comment was that Winavxx.exe also spawns another .exe… Printer.exe

This was picked up in 'Autoruns' once I was aware of its existence… it confused me at first as it states its publisher as Microsoft Co.

Autorun entry: C:\WINDOWS\system32\printer.exe	Description: AntiVirus 2007 Pro	Publisher: Microsoft Co Image path: c:\windows\system32\printer.exe

These Autorun items have been deleted along with C:\WINDOWS\system32\printer.exe

Briefly reconnected to internet to check if IE/google were still being redirected. Google searches were still being redirected, but Favourites and direct URL's worked fine.

Adaware and McAffee will rescan and the system isolated until the infection has been removed completely.

*Update 16/07/07*

McAfee and Adaware were run again, but found no other infection.

When running Autoruns for the umpteenth time another file without a publisher and created at the same time as Winavxx.exe was found. This Autoruns entry is as follows:

Autorun entry: C:\WINDOWS\system32\hanonvt.ini	Description: none	Publisher: none Image path: c:\windows\system32\hanonvt.ini

When deleted in Autoruns and from c:\windows\system32 the file reappears after a couple of seconds. This sounds like there is at least one registry entry and there might be malicious files elsewhere in the system.

*Current status*

c:\windows\system32\hanonvt.ini Remains on system, cannot remove as yet. Possibly in Registry.
c:\windows\system32\printer.exe Appears to have been removed from system, with no respawn.
c:\windows\system32\WinAvXX.exe Appears to have been removed from system, with no respawn.

This sounds like there is at least one registry entry and there may be malicious files elsewhere in the system.

Any advice will be greatly appreciated.

[EDIT] I have been given a new unused copy of Norton 360 and was thinking of installing and running this. I'm not overly keen on Norton as it tends to use up a lot of resources, but apparently... or so I have been told, this is the most comprehensive security package out there. What does anyone think of this?[/EDIT]


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

*Click here* and then scroll down to and click on *hijackthis self installer* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Hi

I had already downloaded the new version of Hijackthis, but have rescanned with the version you suggested, just in case. The scan details were as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31:53, on 19/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: AutorunsDisabled
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://80.7.11.231/cab/OCXChecker_8000.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7930 bytes

I'm not an expert with Malware at all, but I have found the program 'Autoruns' great at identifying unauthorised files listed in Start up. The one I seem to have problems with is listed in the HijackThis log:

O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini

I justy cannot seem to shift this at all... and there may be other issues I am not aware of  .

I look forward to hearing from you


----------



## Cookiegal (Aug 27, 2003)

This is the new version of HijackThis.

Download *ComboFix* to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in *Safe Mode*.

Double click *combofix.exe * and follow the prompts.
When finished, it will produce a log for you. Post that log and a new *HijackThis* log in your next reply
*Note: Do not mouseclick combofix's window while it's running as that may cause it to stall*


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Hi

Thanks for replying so quicly... the results of the scans are as follows:

*Combofix Log*

ComboFix 07-08-14.4 - "Pete" 2007-08-19 22:15:21.1 - *FAT32*x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.360 [GMT 1:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\setup.exe
C:\WINDOWS\start.exe
C:\WINDOWS\system\svchest.reg

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\nm

((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))

2007-08-19 22:13	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-19 13:27 d--------	C:\Program Files\Trend Micro
2007-08-15 21:00	37,376	--a------	C:\WINDOWS\SYSTEM32\vtr434.dll
2007-08-14 00:29	98,176	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\NBF.SYS
2007-08-13 13:14 d--hs----	C:\FOUND.008
2007-08-10 12:30 d--------	C:\Program Files\DivX
2007-08-10 12:21 d--------	C:\Program Files\SpywareBlaster
2007-08-10 08:30 d--hs----	C:\FOUND.007
2007-08-02 01:52 d--------	C:\Program Files\illiminable
2007-08-01 23:38 d--------	C:\Program Files\Lavasoft
2007-08-01 23:38 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-01 22:57 d--------	C:\aaw2007
2007-08-01 21:12 d--------	C:\DOCUME~1\Pete\APPLIC~1\Viewpoint
2007-07-31 18:16 d--hs----	C:\WINDOWS\ftpcache
2007-07-31 18:16 d--------	C:\Program Files\Strain Screensaver
2007-07-26 03:53	200,704	--a------	C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-07-26 03:53	1,044,480	--a------	C:\WINDOWS\SYSTEM32\libdivx.dll
2007-07-26 00:23 d--------	C:\Program Files\Serif
2007-07-21 14:41	6,016	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vnccom.SYS
2007-07-21 14:41	5,760	--a------	C:\WINDOWS\SYSTEM32\vnchelp.dll
2007-07-21 14:41	4,736	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vncdrv.sys
2007-07-21 14:41	12,800	--a------	C:\WINDOWS\SYSTEM32\vncdrv.dll
2007-07-21 14:41 d--------	C:\Program Files\UltraVNC

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 23:42	---------	d--------	C:\DOCUME~1\Pete\APPLIC~1\WinRAR
2007-07-15 11:00	---------	d--------	C:\DOCUME~1\Pete\APPLIC~1\GetRightToGo
2003-08-27 14:19	36963	-ra------	C:\Program Files\Common Files\SM1updtr.dll
2001-05-10 13:06	271	---hs----	C:\Program Files\desktop.ini
2001-05-10 13:06	23357	---h-----	C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 03:12]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 21:39]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-27 12:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2007-08-05 12:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2007-08-05 12:03]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 11:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-23 21:27]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 18:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice.lnk - C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe [2006-07-07 20:28:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hanonvt.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"PCTVOICE"=pctvoice.exe
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"Symantec Core LC"="C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
"DSLSTATEXE"=C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
"DSLAGENTEXE"=C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe"
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"HostManager"=C:\Program Files\Common Files\AOL\1160597208\ee\AOLSoftware.exe
"IPHSend"=C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
S2 Office Source Engine Help;OESH;C:\Program Files\NetMeeting\msmsgs
S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);C:\WINDOWS\system32\drivers\idmc1aud.sys
S3 IDMC1Blk;Intel Play DMC Download Driver;C:\WINDOWS\system32\DRIVERS\IDMC1Blk.sys
S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;C:\WINDOWS\system32\DRIVERS\idmc1vme.sys
S4 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS
S4 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b405d4f0-94fc-11db-b7e4-0011f567d9ea}]
AutoRun\command- setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

Contents of the 'Scheduled Tasks' folder
2007-08-15 08:42:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-19 21:06:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 22:23:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE [1788] 0x81E2EDA0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 22:27:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 22:27

--- E O F ---

*Hijack This Log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:32:28, on 19/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://80.7.11.231/cab/OCXChecker_8000.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7954 bytes

I have regained the Control Panel, but have yet to check the rest of the PC although hanonvt.ini is still on the system and is listed in the Autoruns scan.

HijackThis Log Item: O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini

The PC is still isolated from the internet while I run through your solution from a laptop. Thanks again... I'll wait for your next set of tasks before using the infected pc.


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*Viewpoint*

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\WINDOWS\SYSTEM32\vtr434.dll
> C:\WINDOWS\system32\hanonvt.ini
> 
> ...


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Hi

The two log files are listed below. However, there were a couple of onscreen messages this time round. The first appeared just after Combofix started up, but before the prompt to enter "1" to continue appeared:

"Google has blocked another program from changing the search settings. Click here to change your settings."

The sencond message appeared during the Combofix process and was only on screen for a short time and I only had a brief glimpse... the message said something like "Unable to change the following files as they are being used by another program" I am sure one of the files was C:\WINDOWS\system32\hanonvt.ini but I didn't get a chance to read the other file name before the message closed. I presume it was the second file in the CFScript document.

C:\WINDOWS\system32\hanonvt.ini is still on the system, but I can't find C:\WINDOWS\SYSTEM32\vtr434.dll

*Combofix Log*

ComboFix 07-08-14.4 - "Pete" 2007-08-20 1:15:36.2 - *FAT32*x86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.258 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Pete\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\vtr434.dll
C:\WINDOWS\system32\hanonvt.ini

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\hanonvt.ini
C:\WINDOWS\SYSTEM32\vtr434.dll

((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))

2007-08-19 22:13	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-19 13:27 d--------	C:\Program Files\Trend Micro
2007-08-14 00:29	98,176	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\NBF.SYS
2007-08-13 13:14 d--hs----	C:\FOUND.008
2007-08-10 12:30 d--------	C:\Program Files\DivX
2007-08-10 12:21 d--------	C:\Program Files\SpywareBlaster
2007-08-10 08:30 d--hs----	C:\FOUND.007
2007-08-02 01:52 d--------	C:\Program Files\illiminable
2007-08-01 23:38 d--------	C:\Program Files\Lavasoft
2007-08-01 23:38 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-01 22:57 d--------	C:\aaw2007
2007-08-01 21:12 d--------	C:\DOCUME~1\Pete\APPLIC~1\Viewpoint
2007-07-31 18:16 d--hs----	C:\WINDOWS\ftpcache
2007-07-31 18:16 d--------	C:\Program Files\Strain Screensaver
2007-07-26 03:53	200,704	--a------	C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-07-26 03:53	1,044,480	--a------	C:\WINDOWS\SYSTEM32\libdivx.dll
2007-07-26 00:23 d--------	C:\Program Files\Serif
2007-07-21 14:41	6,016	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vnccom.SYS
2007-07-21 14:41	5,760	--a------	C:\WINDOWS\SYSTEM32\vnchelp.dll
2007-07-21 14:41	4,736	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vncdrv.sys
2007-07-21 14:41	12,800	--a------	C:\WINDOWS\SYSTEM32\vncdrv.dll
2007-07-21 14:41 d--------	C:\Program Files\UltraVNC

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 23:42	---------	d--------	C:\DOCUME~1\Pete\APPLIC~1\WinRAR
2007-07-15 11:00	---------	d--------	C:\DOCUME~1\Pete\APPLIC~1\GetRightToGo
2003-08-27 14:19	36963	-ra------	C:\Program Files\Common Files\SM1updtr.dll
2001-05-10 13:06	271	---hs----	C:\Program Files\desktop.ini
2001-05-10 13:06	23357	---h-----	C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 03:12]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 21:39]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-27 12:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2007-08-05 12:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2007-08-05 12:03]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 11:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-23 21:27]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 18:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice.lnk - C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe [2006-07-07 20:28:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hanonvt.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"PCTVOICE"=pctvoice.exe
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"Symantec Core LC"="C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
"DSLSTATEXE"=C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
"DSLAGENTEXE"=C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe"
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"HostManager"=C:\Program Files\Common Files\AOL\1160597208\ee\AOLSoftware.exe
"IPHSend"=C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
S2 Office Source Engine Help;OESH;C:\Program Files\NetMeeting\msmsgs
S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);C:\WINDOWS\system32\drivers\idmc1aud.sys
S3 IDMC1Blk;Intel Play DMC Download Driver;C:\WINDOWS\system32\DRIVERS\IDMC1Blk.sys
S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;C:\WINDOWS\system32\DRIVERS\idmc1vme.sys
S4 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS
S4 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

Contents of the 'Scheduled Tasks' folder
2007-08-15 08:42:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-19 21:06:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 01:22:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE [880] 0x81E9FB20

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 1:26:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 01:26
C:\ComboFix2.txt ... 2007-08-19 22:27

--- E O F ---

*HijackThis Log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:30:22, on 20/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://80.7.11.231/cab/OCXChecker_8000.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7954 bytes


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the Additional scans sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Phew! This is a long one... I wasn't sure if you wanted the 'Non Microsoft Only' in Additional Scans unchecked as this wasn't stated, but thought that if you did you would have mentioned this in your post... or should I have thought otherwise...  

The file was too big to paste into this message, so it is included as an attachment.


----------



## Cookiegal (Aug 27, 2003)

Yes, beside "Additional scans" it was marked to select "ALL".

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the quote box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.



> [Kill Explorer]
> [Registry - All]
> *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
> YY -> C:\WINDOWS\system32\hanonvt.ini -> %System32%\hanonvt.ini
> ...


----------



## Slaine_Mac_Roth (Aug 16, 2007)

WinPFind3u stalled when I tried to run it. I left it for an hour but it is still not responding. When I entered the text and clicked Fix it started running but then changed to a blank window. I closed the window, checked that the security software and found that McAfee had come on again, even though I had disabled it. I tried to disable again, but it wouldn't disable. I have now uninstalled McAfee for the time being, but WinPFind3u is still stalling... it has been on for about one and a half hours now.

???


----------



## Cookiegal (Aug 27, 2003)

Did you disable your Sygate firewall too?


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Yes. Sygate was definitely turned off. I have also checked Windows Firewall as well to make sure that wasn't on. I have a Spyblocker, but that shouldn't affect this program... should it?

Should I try running WinPFind3U again, with Spywareblaster disabled?


----------



## Cookiegal (Aug 27, 2003)

No SpywareBlaster would not be blocking this as it blocks only known malicious sites or ActiveX controls.

Go to Start- Run  type in CMD and click OK. The MSDOS window will be displayed. At the prompt type the following:

*SC Delete OESH *

Then press Enter.

Reboot and see if you can run the fix again please.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

I followed your advice, but it came back with:

"[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service."


----------



## Cookiegal (Aug 27, 2003)

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Thanks for your help with this.... it is really appreciated.

The HijackThis Startup list is attached.


----------



## Cookiegal (Aug 27, 2003)

I have to go out and will look at the startup log later this afternoon but in the meantime, this infection has just been incorporated into a tool so please do this:

Please download *SmitfraudFix* (by *S!Ri*)

Extract (unzip) the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Thanks. The report is attached.


----------



## Cookiegal (Aug 27, 2003)

I'm pasting the report here for easier viewing. Please only attach files if it's necessary because of their size or we ask. 

SmitFraudFix v2.214

Scan done at 21:22:27.40, 21/08/2007
Run from C:\Documents and Settings\Pete\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\hanonvt.ini FOUND !
C:\WINDOWS\system32\migicons.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pete

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pete\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PETE\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\\WINDOWS\\system32\\hanonvt.ini"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

If the tool detects that you have a DNS hijack, it will prompt you to reconfigure the network in DHCP.

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Cookiegal said:


> You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
> 
> The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".
> 
> If the tool detects that you have a DNS hijack, it will prompt you to reconfigure the network in DHCP.


None of the above happened after I typed "2" and pressed enter. The program started scanning, a couple of windows/messages popped up and closed really quickly and then the desktop has disappeared... including Icons. The 'Safe mode' text is still visible in the corners, as well as the OS details across the top of the screen.

Has it completed its task without prompts?

[EDIT] I have left the machine in the above state until I hear from you. I am in a lucky position where I can use my partners work laptop to use this forum while the desktop is isolated.[/EDIT]


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

As requested...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:14:22, on 23/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://80.7.11.231/cab/OCXChecker_8000.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7152 bytes


----------



## Cookiegal (Aug 27, 2003)

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\WINDOWS\system32\hanonvt.ini


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HijackThis log. *


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Hi

This seems to have achieved something... although I do have a question: Avenger seems to have deleted the file C:\WINDOWS\system32\hanonvt.ini as it is no longer in this location, however there is still an instance in the startup. I ran Autoruns which showed the following:

*C:\WINDOWS\system32\hanonvt.ini	File not found: C:\WINDOWS\system32\hanonvt.ini*

In addition there was another file listed in Autoruns that I have not noticed before, also without a publisher and from the System32 folder:

*catchme File not found: C:\DOCUME~1\Pete\LOCALS~1\Temp\catchme.sys*

and another file that I had noticed, but was prior to this infection by several months:

*lsdelete c:\windows\system32\lsdelete.exe*

Should I delete these from the auto run list in Autoruns?

As requested:

*Avenger log*

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kjkeiwwm

*******************

Script file located at: \??\C:\WINDOWS\cwkkyeid.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\hanonvt.ini deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

*Hijackthis log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41:15, on 23/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://80.7.11.231/cab/OCXChecker_8000.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7185 bytes

It is interesting that Hijackthis is still showing O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini


----------



## Cookiegal (Aug 27, 2003)

Go to *Start*- Run  type in *CMD *and click OK. The MSDOS window will be displayed. At the prompt type the following:

*SC Stop "Office Source Engine Help"*

Then press Enter

Type:

*SC "Office Source Engine Help"*

Then press Enter.

Then run Option 1 of SmitfraudFix again please and post the log.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

I have attached a jpg image of the cmd screen after I followed your instructions. There is a y/n question at the end of the command string and I wanted to check before I select No.

*SmitFraudFix v2.214*

Scan done at 0:11:14.30, 24/08/2007
Run from C:\Documents and Settings\Pete\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\sc.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pete

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pete\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PETE\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\\WINDOWS\\system32\\hanonvt.ini"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

Sorry, it's my mistake when copying and pasting. The command should be:

*SC Delete "Office Source Engine Help"*

You can answer No to that and redo the command please.

Let me know how it goes.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

No problem...

I carried out the SC Delete command which was successful.

I also ran another log just in case.

*SmitFraudFix v2.214*

Scan done at 0:55:58.65, 24/08/2007
Run from C:\Documents and Settings\Pete\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pete

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pete\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PETE\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\\WINDOWS\\system32\\hanonvt.ini"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

Let's see if we can get option 2 to run now.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

If the tool detects that you have a DNS hijack, it will prompt you to reconfigure the network in DHCP.

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Looks like we are moving in the right direction :up:

*SmitFraudFix v2.214*

Scan done at 9:14:05.29, 24/08/2007
Run from C:\Documents and Settings\Pete\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

*Logfile of Trend Micro HijackThis v2.0.2*
Scan saved at 09:20:19, on 24/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://80.7.11.231/cab/OCXChecker_8000.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6772 bytes


----------



## Cookiegal (Aug 27, 2003)

That's good. It worked this time.

You need to reinstall your anti-virus immediately.

Download and install *AVG Anti-Spyware v7.5* 

After download, double click on the file to launch the install process. 
Choose a language, click "*OK*" and then click "*Next*". 
Read the "_License Agreement_" and click "*I Agree*". 
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "*Next*", then click "*Install*". 
After setup completes, click "*Finish*" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 
The main "*Status*" menu will appear. Select "_Change state_" to inactivate '*Resident Shield*' and '*Automatic Updates*'. _As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them._ 
Then right click on AVG Anti-Spyware in the system tray and *uncheck* "*Start with Windows*". 
Connect to the Internet, go back to AVG Anti-Spyware, select the "*Update*" button and click "*Start update*". 
Wait until you see the "_Update successful_" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer. 
Exit AVG Anti-Spyware when done - *DO NOT perform a scan yet*.
*Reboot your computer in SAFE MODE* using the *F8* method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". _(Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)_

*Scan with AVG Anti-Spyware as follows*:
Click on the "*Scanner*" button and choose the "*Settings*" tab.

Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan? *", "*Possibly unwanted software*", and *What to Scan?*" leave all the default settings. 
Under "*Reports*" select "*Do not automatically generate reports*". 
Click the "*Scan*" tab to return to scanning options. 
Click "*Complete System Scan*" to start. 
When the scan has finished, it should automatically be set to *Quarantine*--if not click on _Recommended Action_ and set it there. 
You will also be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.
_*IMPORTANT!* Do not save the report before you have clicked the :*Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button._
Click on "*Save Report*" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20060620-142816.txt*. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
_Note: Close all open windows, programs, and *DO NOT USE the computer while AVG Anti-Spyware is scanning*. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection._

_AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period._

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*

Also, navigate to this folder and let me know what files it contains please:

C:\Documents and Settings\Pete\Start Menu\Programs\Startup


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Hi

I am afraid that I will have to leave the rest of this until 1st/2nd September now... sorry if that causes any problems. We are off on a family holiday in six hours time and I still have loads to do.

I have had a problem with reinstalling my AV software... The McAfee disc I have is quite old and it appears that an update is not available on the update server, which is causing the update of virus files to fail.

I have now installed Norton 360, but have not run any scans yet. I was going to see what your comments were. If I don't hear from you in the next couple of hours I will be in touch in a weeks time.

Thank you very much for all the time you have put into this.

[edit] I meant to add that I have downloaded and updated AVG and followed your instructions to "Do NOT perform a scan yet" [/edit]


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine. As long as you have an anti-virus onboard and functional for the time being. 

The instructions say to run the AVG-AS scan and then to do Panda but if you can only do that when you return, that's fine.

Enjoy your vacation.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

I am having an online chat to a symantec tech at the moment with a liveupdate error on the Norton 360

By the time this is sorted it will be time to leave I think.... and I haven't got any sleep yet  

I have just rembered why I stopped using Norton all those years ago...

See you in a week


----------



## Cookiegal (Aug 27, 2003)

I'll be here.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Hi

Sorry... it's been a little longer than a week. I have had so much to catch up with at work I just haven't had time to look at the PC until now.

Scan results as requested:

*AVG Scan*

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	23:07:28 17/09/2007

+ Scan result:

C:\Documents and Settings\Pete\Desktop\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\hanonvt.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hanonvt.ini.vir -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtr434.dll.vir -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP91\A0053453.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP91\A0053454.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP91\A0053455.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP91\A0053456.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP91\A0053457.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP91\A0053472.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP91\A0053476.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP92\A0054635.DLL -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP92\A0054636.INI -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP93\A0054850.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP94\A0055887.ini -> Downloader.Agent.bxx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{39253567-4993-4785-BC9F-E9EBEFF36AFB}\RP97\A0056004.exe -> Downloader.Small.dua : Cleaned with backup (quarantined).
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Josh\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][4].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][5].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][2].txt -> TrackingCookie.Komtrack : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Jazzy\Cookies\[email protected][1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Pete\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Jazzy\Cookies\[email protected][1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> TrackingCookie.Yadro : Cleaned.

::Report end

*The Panda Scan*

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe 
Virus:Bck/Hupigon.AYO Disinfected C:\WINDOWS\IIS\IISSETS 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NIRCMD.EXE 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Pete\Desktop\ComboFix.exe[nircmd.exe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Pete\Desktop\SmitfraudFix\SmitfraudFix\Process.exe 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Pete\Desktop\SmitfraudFix\SmitfraudFix\RESTART.EXE 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Pete\Desktop\Malware stuff\SmitfraudFix.zip[SmitfraudFix/Process.exe] 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Pete\Desktop\Malware stuff\SmitfraudFix.zip[SmitfraudFix/restart.exe] 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Pete\Cookies\[email protected][2].txt 
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Pete\Cookies\[email protected][1].txt 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Pete\Cookies\[email protected][3].txt 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Pete\Cookies\[email protected][1].txt 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Pete\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][5].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt 
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt 
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt 
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt 
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hazel\Cookies\[email protected][1].txt

*HiJackThis Scan*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:43:03, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://80.7.11.231/cab/OCXChecker_8000.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8410 bytes

When I checked out *C:\Documents and Settings\Pete\Start Menu\Programs\Startup* there were no files present. I also checked that there were no hidden files.

Just to keep you informed, I uninstalled Norton 360 as it took up too much RAM and had a problem with the live update. I obtained a copy of the latest McAfee and installed that instead.


----------



## Cookiegal (Aug 27, 2003)

There are still some components of Norton installed so please go to the following link and run the removal tool:

http://service1.symantec.com/SUPPOR...2005033108162039&nsf=tsgeninfo.nsf&view=docid

*Your Sun Java is out of date.* Older versions have vulnerabilities that malware can exploit to infect your system.
*Please follow these steps to remove older version Java components and update.*

*Updating Java:* 

Download the latest version of *Java Runtime Environment (JRE) 6u2*. 
Scroll down to where it says "_Java Runtime Environment (JRE) 6u2 allows end-users to run Java applications_". 
Click the "*Download*" button to the right. 
Check the box that says: "*Accept*_ License Agreement_". 
The page will refresh. 
Click on the link to download _Windows Offline Installation_ with or without Multi-language and save to your desktop. 
Close any programs you may have running - especially your web browser. 
Go to *Start* > *Control Panel* double-click on *Add/Remove* programs and remove all older versions of Java. 
Check any item with Java Runtime Environment (JRE or J2SE) in the name. 
Click the *Remove* or *Change/Remove* button. 
Repeat as many times as necessary to remove each Java versions. 
Reboot your computer once all Java components are removed. 
Then from your desktop double-click on the download to install the newest version.

Everything else looks good. How are things running now?


----------



## Slaine_Mac_Roth (Aug 16, 2007)

All done!

Everything seems okay, although I'm not sure I fully trust the security I have in place now that my inner sanctum has been violated!!!  

I was thinking of using A-Squared 3 as a real time malware scanner and AdAware as a secondary clean-up tool... What's your opinion on the best security line-up?

There were a couple of entry's on the Sygate Firewall log that I wasn't sure about. C:\windows\system32\ntoskrnl.exe and C:\windows\system32\Drivers\nsiduio.sys have been very active since I have connected the pc back on the internet. I know they are both system files, but is it likely if this is suspicious?

Look forward to hearing from you.

Pete


----------



## Cookiegal (Aug 27, 2003)

Those should normally be allowed through the firewall but can be exploited. ComboFix should pick up on any abnormality so please remove the version that you already have as we need to be sure to have the latest one.

Download ComboFix from *Here* or *Here* to your Desktop.

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## Slaine_Mac_Roth (Aug 16, 2007)

*Combofix log*

ComboFix 07-09-18.4 - "Pete" 2007-09-19 22:14:52.3 - *FAT32*x86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.168 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\windows.scr

.
((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-17 23:26 d--------	C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-16 23:50	58,464	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\mvstdi5x.sys
2007-09-16 23:50	116,864	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\naiavf5x.sys
2007-09-16 23:50 d--------	C:\Program Files\Network Associates
2007-09-16 23:50 d--------	C:\Program Files\Common Files\Network Associates
2007-09-16 23:50 d--------	C:\Program Files\Common Files\Cisco Systems
2007-09-16 23:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Network Associates
2007-09-16 23:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-25 00:02 d--h-----	C:\WINDOWS\$hf_mig$
2007-08-24 23:33 d--------	C:\DOCUME~1\Pete\APPLIC~1\Symantec
2007-08-24 22:10 d--------	C:\Program Files\SupportSoft
2007-08-24 20:58	83,096	--a------	C:\WINDOWS\SYSTEM32\SSSensor.dll
2007-08-24 20:58	60,496	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-08-24 20:58	21,075	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-08-24 20:58	14,568	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2007-08-24 20:58	14,568	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2007-08-24 20:58	14,568	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2007-08-24 20:58	14,568	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-08-24 20:58 d--------	C:\Program Files\Sygate
2007-08-24 20:54	10,872	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-24 20:38 d--------	C:\McAfee
2007-08-21 21:22	53,248	--a------	C:\WINDOWS\SYSTEM32\Process.exe
2007-08-21 21:22	51,200	--a------	C:\WINDOWS\SYSTEM32\dumphive.exe
2007-08-21 21:22	288,417	--a------	C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-08-21 21:22	2,774	--a------	C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-19 22:13	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-19 13:27 d--------	C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-10 12:30	---------	d--------	C:\Program Files\DivX
2007-08-10 12:21	---------	d--------	C:\Program Files\SpywareBlaster
2007-08-02 01:53	---------	d--------	C:\Program Files\illiminable
2007-08-01 23:38	---------	d--------	C:\Program Files\Lavasoft
2007-08-01 23:38	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-31 18:16	---------	d--------	C:\Program Files\Strain Screensaver
2007-07-30 19:19	92504	--a------	C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19	92504	--a------	C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19	53080	--a------	C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2007-07-26 03:53	200704	--a------	C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-07-26 03:53	1044480	--a------	C:\WINDOWS\SYSTEM32\libdivx.dll
2007-07-26 00:23	---------	d--------	C:\Program Files\Serif
2007-03-05 19:59	9232	--a------	C:\DOCUME~1\PETE\mqdmmdfl.sys
2007-03-05 19:59	92064	--a------	C:\DOCUME~1\PETE\mqdmmdm.sys
2007-03-05 19:59	79328	--a------	C:\DOCUME~1\PETE\mqdmserd.sys
2007-03-05 19:59	66656	--a------	C:\DOCUME~1\PETE\mqdmbus.sys
2007-03-05 19:59	6208	--a------	C:\DOCUME~1\PETE\mqdmcmnt.sys
2007-03-05 19:59	5936	--a------	C:\DOCUME~1\PETE\mqdmwhnt.sys
2007-03-05 19:59	4048	--a------	C:\DOCUME~1\PETE\mqdmcr.sys
2007-03-05 19:59	25600	--a------	C:\DOCUME~1\PETE\usbsermptxp.sys
2007-03-05 19:59	22768	--a------	C:\DOCUME~1\PETE\usbsermpt.sys
2006-07-09 08:35	9101877	--a------	C:\DOCUME~1\HAZEL\gesetup30.exe
2003-08-27 14:19	36963	-ra------	C:\Program Files\Common Files\SM1updtr.dll
2001-05-10 13:06	271	---hs----	C:\Program Files\desktop.ini
2001-05-10 13:06	23357	---h-----	C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 21:39]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-27 12:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2007-08-05 12:46]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 11:06]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 03:55]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-23 21:27]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 18:16]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HPAiODevice.lnk - C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe [2006-07-07 20:28:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"PCTVOICE"=pctvoice.exe
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"Symantec Core LC"="C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
"DSLSTATEXE"=C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
"DSLAGENTEXE"=C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe"
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"HostManager"=C:\Program Files\Common Files\AOL\1160597208\ee\AOLSoftware.exe
"IPHSend"=C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);C:\WINDOWS\system32\drivers\idmc1aud.sys
S3 IDMC1Blk;Intel Play DMC Download Driver;C:\WINDOWS\system32\DRIVERS\IDMC1Blk.sys
S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;C:\WINDOWS\system32\DRIVERS\idmc1vme.sys
S4 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys

*Newly Created Service* - ENTDRV51

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-08-15 08:42:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-19 21:06:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 22:17:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 22:18:17
C:\ComboFix-quarantined-files.txt ... 2007-09-19 22:18
C:\ComboFix3.txt ... 2007-08-19 22:27
C:\ComboFix2.txt ... 2007-08-20 01:26
.
--- E O F ---

*Hijackthis log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:08, on 19/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\BIN\HPOEVM07.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUK.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://80.7.11.231/cab/OCXChecker_8000.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8792 bytes


----------



## Cookiegal (Aug 27, 2003)

Everything looks fine. :up:


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Hi

Thank you very much for you help...

Do you have any idea what sort of infection this was? Is it likely that account/password information was obtained via the infection?

If I set AVG to run automatically but don't purchase the full program, what sort of protection will it offer? Can I run it in conjunction with Adaware or should I run AVG on its own?

In your opinion, what is the best internet security setup?

Thanks again  :up:


----------



## Cookiegal (Aug 27, 2003)

Mostly the infection was relating to this:

http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.FakeAlert&threatid=43521

This Smitfraud infection also bundled trojans and they can steal sensitive information so yes, I would recommend as a precaution that you do go ahead and change passwords, bank account numbers and any other similar information that you may have stored on your computer.

Once the trial is over, AVG Anti-Spyware will not give real-time protection but you will be able to update the program and run it regularly so I recommend you keep it and use it as an on-demand scanner as part of your arsenal.

I'm not a big fan of McAfee and it's slows down shutdown time considerably. When it expires you could look into getting Nod32 or Kaspersky, which are two of the best.

You can continue to run Ad-Aware in conjunction with AVG Anti-Spyware without any problems. I also recommend SpyBot Search & Destroy.

Other than that, you're fine with your Sygate firewall and I would run on-line scans such as Panda periodically as well.

You can delete the ComboFix utility and delete this folder, which is where ComboFix stores deleted files as backups:

C:\*Qoobox*

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## Slaine_Mac_Roth (Aug 16, 2007)

Hi 

Thanks for that, it was a great help and much appreciated.

Luckily we don't store any passwords or account details on the pc... I was a bit concerned about keylogging etc. 

I know what you mean about McAfee, I only use it because I get a free copy from work... funnily enough my partner gets a free copy of Norton from her work as well. I'm not overkeen on Norton either as it tends to hog a lot of resources.

Thanks again.


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------

