Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan: infected vtr.dll file? "to pervent any unathor

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan: infected vtr.dll file? "to pervent any unathor

Unread postby drowssap » September 5th, 2007, 3:06 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:28 AM, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\system32\NA_Service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MODBUSDRV.exe
C:\WINDOWS\system32\OpcEnum.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\MagicMus\MulMouse.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\MagicMus\MagicWl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [VersatoMs] C:\Program Files\MagicMus\MulMouse.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: autorun.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://notesmail.bcit.ca/iNotes6W.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4106342381
O17 - HKLM\System\CCS\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2E0297F-14EA-41AE-A693-FD17F72F2929}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CS1\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CS2\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AEClientHostService - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
O23 - Service: Proficy Licensing (CCFLIC0) - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FxControl Runtime (FxControlRuntime) - Total Control Products (Canada) Inc. - C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - c:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NetAccess Service (NA_Service) - Schneider Automation SAS - C:\WINDOWS\system32\NA_Service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trapi File Server (TrapiServer) - Unknown owner - C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - c:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 11671 bytes
drowssap
Active Member
 
Posts: 8
Joined: September 5th, 2007, 4:33 am
Advertisement
Register to Remove

Unread postby Simon V. » September 5th, 2007, 4:39 pm

    Hello, and welcome to the forum.

    My name is Simon V., and I'll be glad to help you with your computer problems.

    HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happens.
    I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

    Please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Reply to first contact re Malware removal

Unread postby drowssap » September 5th, 2007, 5:14 pm

I received an email after my first post. In the reply I received it states, "You can use the following link to view the replies made, no more notifications will be sent until you visit the topic.

http://www.malwareremoval.com/forum/viewtop ... 369#213369"

Do I have to post a reply to indicate that I have visited the topic?

Or is simply reading your post enough for your system to know that I have visited the topic?

Thanks for your efforts,
Rob
drowssap
Active Member
 
Posts: 8
Joined: September 5th, 2007, 4:33 am

Unread postby Simon V. » September 5th, 2007, 5:20 pm

Hi,

If you receive such an email, it means I have posted to the topic (in the future, this means I will have posted new instructions to clean your computer). If you visit the topic, the system will know and you don't have to necessarily answer, although you will need to reply to my next posts, so we can get this machine cleaned up ;)

It won't take long before I have your first instructions :)

Simon
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Unread postby Simon V. » September 6th, 2007, 12:21 pm

    Hi :)

    SmitfraudFix

  • Please download SmitfraudFix (By S!ri).
    • Double-click on SmitfraudFix.exe. A screen will pop up. Select Option 1 (Search) by typing 1 and hit enter. A text file will appear, which will list the infected files. Save it to a convenient location.
    • The log will also be saved here: C:\rapport.txt
    • Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    Make an Uninstall List
  • To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.

    Report Back
  • Please post the report from SmitfraudFix and the Uninstall List, along with a new HijackThis log in your next reply.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Smitfraudfix + Uninstall List +HijackThis log

Unread postby drowssap » September 6th, 2007, 4:12 pm

SmitFraudFix v2.221
C:\Program Files\Trend Micro\HijackThis\rapport.txt

Scan done at 12:27:19.85, 06/09/2007
Run from C:\Documents and

Settings\00195592\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\GE Fanuc\Alarm

Viewer\Host\AEClientHostService.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\CIMPLICITY Machine

Edition\fxControl\Runtime\NT\FxControl.exe
C:\Program Files\McAfee\Common

Framework\FrameworkService.exe
C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
C:\Program Files\Network

Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\system32\NA_Service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MODBUSDRV.exe
C:\WINDOWS\system32\OpcEnum.exe
c:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.

exe
c:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.

exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\CIMPLICITY Machine

Edition\Common\Components\NT\trapiserver.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming

Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network

Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\MagicMus\MulMouse.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software

Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MagicMus\MagicWl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\printer.exe FOUND !
C:\WINDOWS\system32\WinAvXX.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and

Settings\00195592


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and

Settings\00195592\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\00195592\STARTM~1\Programs\Startup\system.ex

e FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.e

xe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\00195592\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably

infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably

infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\systems.txt"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably

infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon]
"System"="ziswin.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8036 PCI-E Fast Ethernet

Controller - Packet Scheduler Miniport
DNS Server Search Order: 154.11.128.59
DNS Server Search Order: 154.11.128.187

Description: Intel(R) PRO/Wireless 2915ABG Network

Connection - Packet Scheduler Miniport
DNS Server Search Order: 154.11.128.59
DNS Server Search Order: 154.11.128.187

HKLM\SYSTEM\CCS\Services\Tcpip\..\{52C1545D-3A82-4047-BB

AB-5AE9E1302000}:

NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F2E0297F-14EA-41AE-A6

93-FD17F72F2929}:

NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CS1\Services\Tcpip\..\{52C1545D-3A82-4047-BB

AB-5AE9E1302000}:

NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F2E0297F-14EA-41AE-A6

93-FD17F72F2929}:

NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CS2\Services\Tcpip\..\{52C1545D-3A82-4047-BB

AB-5AE9E1302000}:

NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F2E0297F-14EA-41AE-A6

93-FD17F72F2929}:

NameServer=154.11.128.59,154.11.128.187


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll

infection


»»»»»»»»»»»»»»»»»»»»»»»» End



C:\Program Files\Trend

Micro\HijackThis\uninstall_list.txt

Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
a-squared Free 3.0
AutoCAD 2000
Bluetooth Stack for Windows by Toshiba
Brother HL-2070N
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
DVD-RAM Driver
Egd Cfg Client Library - V03.00.00C
HighMAT Extension to Microsoft Windows XP CD Writing

Wizard
HijackThis 2.0.2
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB928388)
HP Deskjet 3840
HP Software Update
InterActual Player
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_05
Lexmark Printer Software Uninstall
Lotus Notes 7.0.2
McAfee Anti-Spyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider

Package
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
NICI (Shared) U.S./Worldwide (128 bit) (2.6.4-7)
NMAS Client Components (2.7)
Novell Client for Windows
Novell iPrint Client v03.09.00
NVIDIA Drivers
PowerSuite
Print Server
Proficy Common Licensing
Proficy Historian
Proficy Machine Edition
RSLogix 5 English 7.10.00 (CPR 7)
SA Drivers Manager
SA MODBUS Driver
Schneider Electric\ATV68Soft
SD Secure Module
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0

(KB917283)
Security Update for Microsoft .NET Framework 2.0

(KB922770)
Security Update for Step By Step Interactive Training

(KB898458)
Security Update for Step By Step Interactive Training

(KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
SMSC IrCC V5.1.3600.5
SnagIt 5
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908521)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
ViewMate Desktop Mouse CC2201 Uninstaller
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Zelio Soft 2 v4.1.1.
ZENworks for Desktops Management Agent

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:34 PM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\GE Fanuc\Alarm

Viewer\Host\AEClientHostService.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\CIMPLICITY Machine

Edition\fxControl\Runtime\NT\FxControl.exe
C:\Program Files\McAfee\Common

Framework\FrameworkService.exe
C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
C:\Program Files\Network

Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\system32\NA_Service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MODBUSDRV.exe
C:\WINDOWS\system32\OpcEnum.exe
c:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.

exe
c:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.

exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\CIMPLICITY Machine

Edition\Common\Components\NT\trapiserver.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming

Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network

Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\MagicMus\MulMouse.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software

Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MagicMus\MagicWl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe

C:\WINDOWS\system32\printer.exe
O2 - BHO: IEHlprObj Class -

{ABCDECF0-4B15-11D1-ABED-709549C10000} -

C:\WINDOWS\system32\vtr.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog

Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog

Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program

Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla]

C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program

Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program

Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program

Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program

Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting

Service] "C:\Program Files\Common Files\Network

Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon]

c:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [VersatoMs] C:\Program

Files\MagicMus\MulMouse.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program

Files\McAfee\Common Framework\UdaterUI.exe"

/StartedFromRunKey
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program

Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program

Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program

Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinAVX]

C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinAVX]

C:\WINDOWS\system32\WinAvXX.exe
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and

Settings\Default User\Local Settings\Temp\iehome.bat

(User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and

Settings\Default User\Local Settings\Temp\iehome.bat

(User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents

and Settings\Default User\Local Settings\Temp\iehome.bat

(User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk =

C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: autorun.exe
O4 - Global Startup: HotSync Manager.lnk =

C:\Palm\HOTSYNC.EXE
O4 - Global Startup: RAMASST.lnk =

C:\WINDOWS\system32\RAMASST.exe
O7 -

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\

System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications -

{C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program

Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

(Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/Shar ... nt/vc/bin/

AvSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325}

(iNotes6 Class) - http://notesmail.bcit.ca/iNotes6W.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}

(Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/Shar ... nt/common/

bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftup ... /V5Control

s/en/x86/client/muweb_site.cab?1154106342381
O17 -

HKLM\System\CCS\Services\Tcpip\..\{52C1545D-3A82-4047-BB

AB-5AE9E1302000}: NameServer =

154.11.128.59,154.11.128.187
O17 -

HKLM\System\CCS\Services\Tcpip\..\{F2E0297F-14EA-41AE-A6

93-FD17F72F2929}: NameServer =

154.11.128.59,154.11.128.187
O17 -

HKLM\System\CS1\Services\Tcpip\..\{52C1545D-3A82-4047-BB

AB-5AE9E1302000}: NameServer =

154.11.128.59,154.11.128.187
O17 -

HKLM\System\CS2\Services\Tcpip\..\{52C1545D-3A82-4047-BB

AB-5AE9E1302000}: NameServer =

154.11.128.59,154.11.128.187
O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt
O23 - Service: a-squared Free Service (a2free) - Emsi

Software GmbH - C:\Program Files\a-squared

Free\a2service.exe
O23 - Service: AEClientHostService - GE Fanuc Automation

Americas - C:\Program Files\GE Fanuc\Alarm

Viewer\Host\AEClientHostService.exe
O23 - Service: Proficy Licensing (CCFLIC0) - GE Fanuc

Automation Americas - C:\Program Files\GE Fanuc\GE Fanuc

Licensing\CCFLIC0.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA

CORPORATION - C:\Program

Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc)

- Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program

Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric

Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FxControl Runtime (FxControlRuntime) -

Total Control Products (Canada) Inc. - C:\Program

Files\CIMPLICITY Machine

Edition\fxControl\Runtime\NT\FxControl.exe
O23 - Service: Harmony - Rockwell Software Inc. -

C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: McAfee Framework Service

(McAfeeFramework) - McAfee, Inc. - C:\Program

Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) -

Network Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager

(McTaskManager) - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp -

C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher

(NALNTSERVICE) - Novell, Inc. - c:\Program

Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NetAccess Service (NA_Service) -

Schneider Automation SAS -

C:\WINDOWS\system32\NA_Service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -

NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation -

C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent

(Prometheus Wake-On-LAN Status Agent) - Novell Inc. -

c:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.

exe
O23 - Service: Novell ZfD Remote Management (Remote

Management Agent) - Novell Inc. - c:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.

exe
O23 - Service: RSLinx - Rockwell Software, Inc. -

C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent

Service (default)) - Analog Devices, Inc. - C:\Program

Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) -

TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA

Applet\TAPPSRV.exe
O23 - Service: Trapi File Server (TrapiServer) - Unknown

owner - C:\Program Files\CIMPLICITY Machine

Edition\Common\Components\NT\trapiserver.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell,

INC. - c:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 11704 bytes
drowssap
Active Member
 
Posts: 8
Joined: September 5th, 2007, 4:33 am

Unread postby Simon V. » September 7th, 2007, 9:57 am

    Hi :)

    Word Wrap

  • You have Word Wrap turned on, this is making your logs difficult to read.
    • Run notepad.
    • Go to Format and untick Word Wrap.
    AVG Anti-Spyware
  • Please download and install AVG Anti-Spyware.

    After the installation, open AVG Anti-Spyware and do the following:
    • Under 'Status', click on Change state, next to 'Resident shield' (this will change from Active to Inactive)
    • Under the 'Update' tab, click on 'Start update'.
    • Under 'Scanner', click on the 'Settings' tab:
      • Under 'How to act?', click on 'Recommended actions', and select Quarantine.
      • Under 'Reports', select 'Do not automatically generate reports'.
    Close AVG Anti-Spyware. Do not let it scan yet.

    ATF Cleaner
  • Please download ATF Cleaner.

    Double-click on ATF-Cleaner.exe to start the program.
    Under the Main tab, put a check next to 'Select All'.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies')

    If you use the Firefox browser:
    Click on Firefox at the top and put a check next to 'Select All'.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies').

    If you use the Opera browser:
    Click on Opera at the top and put a check next to 'Select All'.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the 'Empty Selected' button. (Note: if you select cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck 'Cookies')

    Safe Mode
  • Print these instructions or copy them to Notepad and save it to your Desktop, as you won't be able to access internet in Safe Mode.
  • Please reboot into Safe Mode. To do this, go to Start>Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking)

    SmitfraudFix
  • Double-click on Smifraudfix.exe.
    • A screen will pop up. Select Option 2 (Clean) by typing 2 and hit Enter.
    • You will be prompted: 'Registry Cleaning - Do you want to clean the registry?' Answer Yes by typing Y and press Enter in order to clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file; answer Yes by typing Y and hit Enter.
    • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart Windows into Normal Mode.
    • A text file will appear onscreen, with results from the cleaning process; please copy the content of that report and paste it in your next reply. The report can also be found at C:\rapport.txt.
  • Warning: running option #2 on a non infected computer will remove your desktop background.

    AVG Anti-Spyware
  • Please open AVG Anti-Spyware.
    • Click on the 'Scan' tab.
    • Click on 'Complete System Scan' to start the scan process.
    • After the scan, do the following:
        Important: Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not, click on the link and select 'Quarantine' from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
      • When done, click the 'Save Report' (4) button, and save the file to your Desktop.
    Image.
  • Reboot into Normal Mode.

    Report Back
  • Please post the reports from Smitfraudfix and AVG Anti-Spyware, along with a new HijackThis log in your next reply (be sure Word Wrap is turned off!).
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

rapport&AVGreport

Unread postby drowssap » September 7th, 2007, 4:20 pm

c:\Program Files\Trend Micro\Hijack This\rapport2&AVGreport.txt

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:38:33 PM 07/09/2007

+ Scan result:



HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).


::Report end



SmitFraudFix v2.221

Scan done at 11:26:31.73, 07/09/2007
Run from C:\Documents and Settings\00195592\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.downloads1.kaspersky-labs.com
192.168.200.3 ftp.downloads2.kaspersky-labs.com
192.168.200.3 ftp.downloads3.kaspersky-labs.com
192.168.200.3 ftp.f-secure.com
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 http://www.avp.ch
192.168.200.3 http://www.avp.com
192.168.200.3 http://www.avp.ru
192.168.200.3 http://www.awaps.net
192.168.200.3 http://www.ca.com
192.168.200.3 http://www.f-secure.com
192.168.200.3 http://www.fastclick.net
192.168.200.3 http://www.grisoft.com
192.168.200.3 http://www.kaspersky-labs.com
192.168.200.3 http://www.kaspersky.com
192.168.200.3 http://www.kaspersky.ru
192.168.200.3 http://www.mcafee.com
192.168.200.3 http://www.my-etrust.com
192.168.200.3 http://www.nai.com
192.168.200.3 http://www.networkassociates.com
192.168.200.3 http://www.sophos.com
192.168.200.3 http://www.symantec.com
192.168.200.3 http://www.symantec.com
192.168.200.3 http://www.trendmicro.com
192.168.200.3 http://www.viruslist.com
192.168.200.3 http://www.viruslist.ru
192.168.200.3 http://www.virustotal.com
192.168.200.3 www3.ca.com

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\WinAvXX.exe Deleted
C:\DOCUME~1\00195592\STARTM~1\Programs\Startup\system.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F2E0297F-14EA-41AE-A693-FD17F72F2929}: NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CS1\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F2E0297F-14EA-41AE-A693-FD17F72F2929}: NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CS2\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer=154.11.128.59,154.11.128.187
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F2E0297F-14EA-41AE-A693-FD17F72F2929}: NameServer=154.11.128.59,154.11.128.187


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="ziswin.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
drowssap
Active Member
 
Posts: 8
Joined: September 5th, 2007, 4:33 am

Clean-up phase?

Unread postby drowssap » September 7th, 2007, 4:47 pm

'Windows cannot find C:\windows\system32\printer.exe' message shows up whenever I re-boot.

The good news is that the malware pop-up has not re-curred so it may be fixed.

I have not yet restored my desktop background.
drowssap
Active Member
 
Posts: 8
Joined: September 5th, 2007, 4:33 am

Unread postby Simon V. » September 7th, 2007, 4:56 pm

Can you post a fresh HijackThis log please? :)
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Hijack This LOG

Unread postby drowssap » September 7th, 2007, 5:02 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:19 PM, on 07/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\system32\NA_Service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MODBUSDRV.exe
C:\WINDOWS\system32\OpcEnum.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\MagicMus\MulMouse.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\MagicMus\MagicWl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [VersatoMs] C:\Program Files\MagicMus\MulMouse.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://notesmail.bcit.ca/iNotes6W.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4106342381
O17 - HKLM\System\CCS\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2E0297F-14EA-41AE-A693-FD17F72F2929}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CS1\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CS2\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AEClientHostService - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Proficy Licensing (CCFLIC0) - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FxControl Runtime (FxControlRuntime) - Total Control Products (Canada) Inc. - C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - c:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NetAccess Service (NA_Service) - Schneider Automation SAS - C:\WINDOWS\system32\NA_Service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trapi File Server (TrapiServer) - Unknown owner - C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - c:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 11516 bytes
drowssap
Active Member
 
Posts: 8
Joined: September 5th, 2007, 4:33 am

Unread postby Simon V. » September 8th, 2007, 7:50 am

    Hi :)

    HostsXpert

  • Please download HostsXpert.
    • Unzip HostsXpert.zip.
    • Double click on HostsXpert.exe.
    • Then click on "Restore Original Hosts" to restore your Hosts file to its default condidtion.
    • Click on Make Hosts Read Only to secure it against further infection.
    • Close program when complete.
    ComboFix
  • Please download Combofix from one of the links below:

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
  • Double-click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Save it to a convenient location.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Run Kaspersky Online Scan
  • Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise Standard)
      • Scan Options:
        Scan Archives Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
        Select My Computer
    • The program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    Report Back
  • Please post the reports from Combofix and the Kaspersky Online Scan, along with a new HijackThis log in your next reply.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

combofix&kaspersky&hijackthis

Unread postby drowssap » September 8th, 2007, 3:27 pm

ComboFix 07-09-08.7 - "00195592" 2007-09-08 10:04:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.574 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-08 10:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-07 10:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-06 12:27 4,868 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-05 22:49 <DIR> d-------- C:\DOCUME~1\00195592\.housecall6.6
2007-09-05 10:52 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-09-05 01:46 <DIR> d-------- C:\Program Files\a-squared Free
2007-09-05 01:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-04 23:00 <DIR> d-------- C:\QUARANTINE
2007-08-26 11:12 <DIR> dr------- C:\DOCUME~1\00195592\APPLIC~1\Brother

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-05 01:00 --------- d-------- C:\Program Files\SpywareBlaster
2007-02-09 15:30 487 --a------ C:\Program Files\acad2000.cfg
2007-02-09 15:25 6795264 --a------ C:\Program Files\acad.exe
2007-02-09 15:25 146227 --a------ C:\Program Files\DeIsL1.isu
1999-03-26 11:49 115920 --a------ C:\Program Files\actusm.dll
1999-03-25 05:14 88773 --a------ C:\Program Files\acadapp.arx
1999-03-25 05:07 274432 --a------ C:\Program Files\asilisp.arx
1999-03-25 05:06 12288 --a------ C:\Program Files\asilloc.dll
1999-03-25 05:05 122880 --a------ C:\Program Files\cao15.dll
1999-03-25 05:04 1290240 --a------ C:\Program Files\condlg.arx
1999-03-25 04:55 110592 --a------ C:\Program Files\aclbed.dll
1999-03-25 04:54 167936 --a------ C:\Program Files\aseloc.dll
1999-03-25 04:54 1089536 --a------ C:\Program Files\ase.arx
1999-03-25 04:49 417792 --a------ C:\Program Files\csp.dll
1999-03-25 04:48 40960 --a------ C:\Program Files\asiloc.dll
1999-03-25 04:47 831488 --a------ C:\Program Files\sqleng.dll
1999-03-25 04:43 118784 --a------ C:\Program Files\tmptbl.dll
1999-03-25 04:39 524288 --a------ C:\Program Files\sqldata.dll
1999-03-25 04:29 57344 --a------ C:\Program Files\oletohdi6.dll
1999-03-25 04:28 45056 --a------ C:\Program Files\styleeng.dll
1999-03-25 04:28 139264 --a------ C:\Program Files\styshwiz.exe
1999-03-25 04:27 69632 --a------ C:\Program Files\prntprog.dll
1999-03-25 04:27 32768 --a------ C:\Program Files\styexe.exe
1999-03-25 04:27 192512 --a------ C:\Program Files\addplwiz.exe
1999-03-25 04:26 389120 --a------ C:\Program Files\pc3edit.dll
1999-03-25 04:26 28672 --a------ C:\Program Files\pc3exe.exe
1999-03-25 04:25 528384 --a------ C:\Program Files\plcfmgr.dll
1999-03-25 04:25 225280 --a------ C:\Program Files\psizewiz.dll
1999-03-25 04:25 135168 --a------ C:\Program Files\plcalwiz.dll
1999-03-25 04:24 32768 --a------ C:\Program Files\apperr.dll
1999-03-25 04:23 45056 --a------ C:\Program Files\coreerr.dll
1999-03-25 04:23 28672 --a------ C:\Program Files\plcferr.dll
1999-03-25 04:13 790528 --a------ C:\Program Files\physpen.dll
1999-03-25 04:12 933888 --a------ C:\Program Files\styedit.dll
1999-03-25 04:11 86016 --a------ C:\Program Files\gridres.dll
1999-03-25 03:46 1105920 --a------ C:\Program Files\vllib.dll
1999-03-25 03:45 65536 --a------ C:\Program Files\vlreac.dll
1999-03-25 03:45 380928 --a------ C:\Program Files\vlabout.dll
1999-03-25 03:45 36864 --a------ C:\Program Files\vldlg.dll
1999-03-25 03:45 323584 --a------ C:\Program Files\vlide.dll
1999-03-25 03:45 233472 --a------ C:\Program Files\vlmsg.dll
1999-03-25 03:45 20480 --a------ C:\Program Files\vlres.dll
1999-03-25 03:45 118784 --a------ C:\Program Files\vlcom.dll
1999-03-25 03:44 581632 --a------ C:\Program Files\vl.arx
1999-03-25 03:43 77824 --a------ C:\Program Files\dwgaids.arx
1999-03-25 03:43 6821 --a------ C:\Program Files\solids.xmx
1999-03-25 03:43 286720 --a------ C:\Program Files\axdb15.dll
1999-03-25 03:43 105125 --a------ C:\Program Files\acsolids.arx
1999-03-25 03:42 2723840 --a------ C:\Program Files\axauto15.dll
1999-03-25 03:41 68768 --a------ C:\Program Files\geomcal.arx
1999-03-25 03:41 66540 --a------ C:\Program Files\geom3d.arx
1999-03-25 03:41 53479 --a------ C:\Program Files\acadaut.reg
1999-03-25 03:41 44078 --a------ C:\Program Files\rectang.arx
1999-03-25 03:40 91720 --a------ C:\Program Files\render.xmx
1999-03-25 03:40 45056 --a------ C:\Program Files\aclsobj.arx
1999-03-25 03:40 172032 --a------ C:\Program Files\acadps.arx
1999-03-25 03:40 1335296 --a------ C:\Program Files\acrender.arx
1999-03-25 03:30 32768 --a------ C:\Program Files\whohas.arx
1999-03-25 03:30 192512 --a------ C:\Program Files\acadvba.arx
1999-03-25 03:29 98304 --a------ C:\Program Files\acqsetup.arx
1999-03-25 03:29 61440 --a------ C:\Program Files\acoscale.arx
1999-03-25 03:29 204800 --a------ C:\Program Files\acasetup.arx
1999-03-25 03:29 200704 --a------ C:\Program Files\acadstar.arx
1999-03-25 03:28 69632 --a------ C:\Program Files\textfind.arx
1999-03-25 03:28 49152 --a------ C:\Program Files\units.arx
1999-03-25 03:28 49152 --a------ C:\Program Files\pltcmdln.arx
1999-03-25 03:28 110592 --a------ C:\Program Files\appload.arx
1999-03-25 03:27 94208 --a------ C:\Program Files\acDcTextStyles.arx
1999-03-25 03:27 81920 --a------ C:\Program Files\acmatch.arx
1999-03-25 03:27 139264 --a------ C:\Program Files\acorbit.arx
1999-03-25 03:27 131072 --a------ C:\Program Files\AcRefEd.arx
1999-03-25 03:26 86016 --a------ C:\Program Files\acDcDimStyles.arx
1999-03-25 03:25 94208 --a------ C:\Program Files\acDcLinetypes.arx
1999-03-25 03:25 86016 --a------ C:\Program Files\acDcXrefs.arx
1999-03-25 03:24 81920 --a------ C:\Program Files\acDcLayouts.arx
1999-03-25 03:24 69632 --a------ C:\Program Files\acDcImages.arx
1999-03-25 03:24 147456 --a------ C:\Program Files\acDcSymbols.arx
1999-03-25 03:23 516096 --a------ C:\Program Files\acDcFrame.arx
1999-03-25 03:17 143360 --a------ C:\Program Files\acDcUtils.dll
1999-03-25 03:16 204800 --a------ C:\Program Files\acISMui.arx
1999-03-25 03:12 61440 --a------ C:\Program Files\resize.dll
1999-03-25 03:12 45056 --a------ C:\Program Files\color.dll
1999-03-25 03:12 32768 --a------ C:\Program Files\textedit.arx
1999-03-25 03:12 118784 --a------ C:\Program Files\acadinet.dll
1999-03-25 03:11 69632 --a------ C:\Program Files\attedit.arx
1999-03-25 03:11 552960 --a------ C:\Program Files\AcDim.arx
1999-03-25 03:11 28728 --a------ C:\Program Files\acdorder.arx
1999-03-25 03:09 610304 --a------ C:\Program Files\acopm.arx
1999-03-25 03:08 53248 --a------ C:\Program Files\acsiui.arx
1999-03-25 03:08 32768 --a------ C:\Program Files\acbrowse.arx
1999-03-25 03:08 221184 --a------ C:\Program Files\acblock.arx
1999-03-25 03:07 65536 --a------ C:\Program Files\aceplotx.arx
1999-03-25 03:07 32768 --a------ C:\Program Files\acsiobj.arx
1999-03-25 03:07 118784 --a------ C:\Program Files\achlnkui.arx
1999-03-25 03:06 40960 --a------ C:\Program Files\ddelib.dll
1999-03-25 03:06 397312 --a------ C:\Program Files\acgs.dll
1999-03-25 03:06 32768 --a------ C:\Program Files\oleaprot.arx
1999-03-25 03:06 245760 --a------ C:\Program Files\Ereg.dll
1999-03-25 02:44 339968 --a------ C:\Program Files\acmted.arx
1999-03-25 02:42 298911 --a------ C:\Program Files\acad.xmx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 14:48]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 09:27]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 00:28]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 00:26]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-27 23:37 C:\WINDOWS\agrsmmsg.exe]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 18:57]
"NDSTray.exe"="NDSTray.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 02:05]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 16:03]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 15:03]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-01-14 17:45]
"TFncKy"="TFncKy.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-01-13 17:36]
"nwiz"="nwiz.exe" [2005-01-13 17:36 C:\WINDOWS\system32\nwiz.exe]
"TPSMain"="TPSMain.exe" [2004-12-28 17:02 C:\WINDOWS\system32\TPSMain.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 C:\WINDOWS\system32\nwtray.exe]
"ZENRC Tray Icon"="c:\WINDOWS\system32\zentray.exe" [2003-03-18 15:37]
"VersatoMs"="C:\Program Files\MagicMus\MulMouse.exe" [2004-06-17 16:14]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-06-21 13:19]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 08:46]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 10:55]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NALDESK.EXE [2003-03-24 13:08:30]
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2007-01-15 13:41:52]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-01-10 14:35:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\Program Files\Novell\ZENworks\NalExpEx.dll [2003-03-24 13:08 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="ziswin.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\Drivers\Nicm.sys
R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare\nwfilter.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys
R2 FxControlRuntime;FxControl Runtime;C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
R2 Kblock;Kblock;C:\WINDOWS\system32\drivers\Kblock.sys
R2 Mouslock;Mouslock;C:\WINDOWS\system32\drivers\Mouslock.sys
R2 MUsbFltr;USB WTMouse Filter Service;C:\WINDOWS\system32\DRIVERS\MUsbFltr.sys
R2 NA_Service;NetAccess Service;C:\WINDOWS\system32\NA_Service.exe
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare\nwdhcp.sys
R2 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys
R2 TrapiServer;Trapi File Server;C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 nscmnt;Novell Local Security Context Manager;C:\WINDOWS\system32\drivers\novell\nscmnt.sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys
S1 oxmf;OXPCI Bus enumerator;C:\WINDOWS\system32\DRIVERS\oxmf.sys
S1 oxser;OX16C95x Serial port driver;C:\WINDOWS\system32\DRIVERS\oxser.sys
S1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys
S2 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe
S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare\nwsipx32.sys
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys
S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys
S3 Oxmfuf;Filter driver for OX16PCI95x ports;C:\WINDOWS\system32\DRIVERS\oxmfuf.sys
S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS
S3 RSSERIAL;RSLinx Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys
S3 usb2ser;usb2ser;C:\WINDOWS\system32\DRIVERS\usb2ser.sys
S3 xauthnt;Novell XTier Authentication Service;C:\WINDOWS\system32\drivers\novell\xauthnt.sys
Start Pending2 Remote Management Agent;Novell ZfD Remote Management;c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d2bc720-c43f-11db-b3d1-0012f09f82d9}]
AutoRun\command- F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2813d90-9c20-11db-b3a0-0012f09f82d9}]
AutoRun\command- F:\setupSNK.exe

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 10:10:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-08 10:11:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 10:11
.
--- E O F ---


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 08, 2007 12:15:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 8/09/2007
Kaspersky Anti-Virus database records: 410326
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 64507
Number of viruses found: 4
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 01:04:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\00195592\.housecall6.6\Quarantine\printer.exe.bac_a03320 Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\Documents and Settings\00195592\.housecall6.6\Quarantine\system.exe.Vir.bac_a03320 Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\Documents and Settings\00195592\.housecall6.6\Quarantine\systems.txt.bac_a03320 Infected: not-virus:Hoax.Win32.Renos.jh skipped
C:\Documents and Settings\00195592\.housecall6.6\Quarantine\vtr.xxx.bac_a03320 Infected: Trojan.Win32.Agent.bfe skipped
C:\Documents and Settings\00195592\.housecall6.6\Quarantine\winavxx.exe.bac_a03320 Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\Documents and Settings\00195592\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\00195592\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\00195592\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\00195592\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\00195592\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\00195592\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\00195592\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\00195592\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\00195592\Local Settings\Temp\NAILogs\UpdaterUI_SOEE-Z-60986.log Object is locked skipped
C:\Documents and Settings\00195592\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\00195592\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\00195592\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_SOEE-Z-60986.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_SOEE-Z-60986.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070908_Time-100941667_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070908_Time-100941667_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\RMErrorLog1.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0021854.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0021855.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0021873.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0021874.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0022012.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0022013.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0022061.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0022062.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0022080.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP111\A0022081.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022115.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022116.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022130.dll Infected: Trojan.Win32.Agent.bfe skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022148.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022149.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022150.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022186.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022187.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022188.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022252.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP112\A0022253.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022309.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022310.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022311.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022347.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022348.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022349.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022383.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022384.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022385.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022426.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022427.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022428.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP113\A0022429.exe Infected: not-virus:Hoax.Win32.Renos.je skipped
C:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP115\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\novell\nici\00195282\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\system32\novell\nici\00195282\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\system32\systems.txt Infected: not-virus:Hoax.Win32.Renos.jh skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{9F6D27BD-8333-4C91-A655-AFB30354E2FB}\RP115\change.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:23 PM, on 08/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\system32\NA_Service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MODBUSDRV.exe
C:\WINDOWS\system32\OpcEnum.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\MagicMus\MulMouse.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicMus\MagicWl.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [VersatoMs] C:\Program Files\MagicMus\MulMouse.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://notesmail.bcit.ca/iNotes6W.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4106342381
O17 - HKLM\System\CCS\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2E0297F-14EA-41AE-A693-FD17F72F2929}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CS1\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O17 - HKLM\System\CS2\Services\Tcpip\..\{52C1545D-3A82-4047-BBAB-5AE9E1302000}: NameServer = 154.11.128.59,154.11.128.187
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AEClientHostService - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Proficy Licensing (CCFLIC0) - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FxControl Runtime (FxControlRuntime) - Total Control Products (Canada) Inc. - C:\Program Files\CIMPLICITY Machine Edition\fxControl\Runtime\NT\FxControl.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - c:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NetAccess Service (NA_Service) - Schneider Automation SAS - C:\WINDOWS\system32\NA_Service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trapi File Server (TrapiServer) - Unknown owner - C:\Program Files\CIMPLICITY Machine Edition\Common\Components\NT\trapiserver.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - c:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 11360 bytes
drowssap
Active Member
 
Posts: 8
Joined: September 5th, 2007, 4:33 am

Unread postby Simon V. » September 9th, 2007, 6:16 am

    Hi :)

  • Are you aware that Autocad is installed in C:\Program Files\, rather than in its own folder?
  • Please empty this folder using Windows Explorer (delete everything inside the folder, not the folder itself): C:\Documents and Settings\00195592\.housecall6.6\Quarantine\, and delete this file: C:\WINDOWS\system32\systems.txt.

    Prevention
  • Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:
    • Delete Tools - You can now delete the following files/folders:
      • Smitfraudfix.exe, C:\Smitfraudfix\, C:\rapport.txt
      • HostsXpert.zip, HostsXpert.exe
      • Combofix.exe, C:\Combofix\
    • Disable and Enable System Restore - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
      • Turn off System Restore.
      • On the desktop, right-click My Computer
      • Click Properties
      • Click the System Restore tab
      • Check Turn off System Restore
      • Click Apply, and then click OK
      • Reboot.
      • Turn on System Restore.
      • On the desktop, right-click My Computer
      • Click Properties
      • Click the System Restore tab
      • Uncheck Turn off System Restore
      • Click Apply, and then click OK
      NOTE: only do this ONCE, NOT on a regular basis!
    • Make your Internet Explorer more secure
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab.
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt.
        • Change the Download unsigned ActiveX controls to Disable.
        • Change the Initialise and script ActiveX controls not marked as safe to Disable.
        • Change the Installation of desktop items to Prompt.
        • Change the Launching programs and files in an IFRAME to Prompt.
        • Change the Navigate sub-frames across different domains to Prompt.
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      • Next press the Apply button and then the OK to exit the Internet Properties page.
    • Update your Anti-Virus Software - It is very imprtant that you update your Anti-Virus software at least once a week (even more if you wish). If you do not update your Anti-Virus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - A firewall is very important for the security of your computer. The Windows Firewall which comes with Service Pack 2 does not monitor outgoing connections, so any malware can 'phone home' without you knowing it. For an article on firewalls and a listing of some available ones see the link below:
      Computer Safety On line - Software Firewalls
    • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
      Instructions for - Spybot S & D and Ad-aware
    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

      Follow this list and your potential for being infected again will reduce dramatically.
    • Stand Up and Be Counted!

      Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you have to be registered to post after registering just find your country room and register your complaint.
      The infection you had was Smitfraud.
    • >> Here << you can see how you can help us.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Thank you - donation made

Unread postby drowssap » September 9th, 2007, 3:31 pm

Thank you very much for your guidance in getting rid of the malware I had contracted.

I have made a donation via PayPal.

Keep up the good work.

Regards,
Rob
drowssap
Active Member
 
Posts: 8
Joined: September 5th, 2007, 4:33 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware