Please Help! My Computer is Running Multiple Viruses/malware.

**Mybabbits** · #11 26th Jun 2009, 17:26

Hi, I just wanted to check in with you real quick and let you know that I haven't forgotten. Things here have been sort of crazy, and I haven't had the opportunity to get the scan completed yet.

Didn't mean to disappear! I'll be in touch soon :)

**sjb007** · #12 26th Jun 2009, 23:11

Hi there

Not a problem, I understand that real life situations take priority

**Mybabbits** · #13 1st Jul 2009, 06:12

Things have been running much better on the computer now (Thank You!) I am still having a couple of problems though... You mentioned that you see FSecure and AVG- I uninstalled FSecure a long time ago (or I thought I did), and AVG I uninstalled to get CF to work, and I haven't reinstalled it yet (probably should get on that though). I am still seeing a lot of processes running that I'm not sure what they are. "spoolsv.exe" is one in particular that I can't seem to get rid of. Is there a reason this one should be there even though I don't have a printer hooked up to the computer? "winlogon.exe" is always running, too- I thought that this one should go away after the computer has booted up. Also there are 5 instances of "svchost.exe" running and I don't remember there being so many of those before... AVG is still running processes, too, even though I uninstalled it... Perhaps I'm just computer illiterate and they are really supposed to be there?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/18/2009 at 01:15 PM

Application Version : 4.26.1004

Core Rules Database Version : 3945
Trace Rules Database Version: 1887

Scan type : Complete Scan
Total Scan Time : 01:11:18

Memory items scanned : 373
Memory threats detected : 1
Registry items scanned : 4431
Registry threats detected : 86
File items scanned : 39059
File threats detected : 11

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACKPXJQWVUGNSPO KQ.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACKPXJQWVUGNSPO KQ.DLL

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{9B053E00-78D3-47AE-B763-60FF36FF2886}

Trojan.Agent/Gen-AmblBE
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{06F20C1A-4811-4C73-A114-792ED70F2CAD}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{06F20C1A-4811-4C73-A114-792ED70F2CAD}

Adware.TrustInCash
C:\WINDOWS\system32\tisa.cnf
C:\WINDOWS\REMOVEADWARE.ICO
C:\WINDOWS\VIDEOSLOTS.ICO

Rogue.Component/Trace
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\Microsoft\FIAS4057

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#LastBSOD
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#pval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#905b3008
HKLM\SOFTWARE\UAC\connections#7d72e91c
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\connections#b43dcf0f
HKLM\SOFTWARE\UAC\connections#f2065612
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShie ld.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.e xe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#6aed4b25
HKLM\SOFTWARE\UAC\mask#e0ae8144
HKLM\SOFTWARE\UAC\mask#30910b28
HKLM\SOFTWARE\UAC\mask#c6216721
HKLM\SOFTWARE\UAC\mask#dd118673
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

Adware.Tracking Cookie
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@myroitracking[1].txt
C:\Documents and Settings\Guest\Cookies\guest@serw.clicksor[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\s ystem@ix-find[1].txt

Adware.180solutions/Seekmo/Zango
C:\PROGRAM FILES\FASOFT\N-TRACK STUDIO 6\SETUP.EXE

Browser Hijacker.MS Web Search
C:\WINDOWS\LOCAL.HTML

**sjb007** · #14 1st Jul 2009, 15:59

Hi there

I notice that you reposted your original scan results from SAS that was included in your opening post. Did you post the wrong results?

The system process you mention earlier are legit and I would not worry about them. I would advise that you re-install AVG to prevent any further re-infection.

**Mybabbits** · #15 1st Jul 2009, 18:31

Sorry about that. I was in a hurry and I posted the only log that was in SAS without even looking at the date. I'm not sure if it saved the results then- I'll redo the scan for you tonight and try to have the results posted in the AM.

**sjb007** · #16 2nd Jul 2009, 00:43

Not a problem

**Mybabbits** · #17 2nd Jul 2009, 20:54

Ha! I found the scan log hiding in safe mode... I'm pretty sure I completed the scan under the admin user, so that would explain why I didn't see it from my usual screen. I've also reinstalled AVG- so that is up and running too.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/28/2009 at 03:05 AM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1854

Scan type : Complete Scan
Total Scan Time : 02:05:20

Memory items scanned : 195
Memory threats detected : 0
Registry items scanned : 3686
Registry threats detected : 14
File items scanned : 44190
File threats detected : 21

Trojan.Agent/Gen-FraudDrop
[sysldtray] C:\WINDOWS\LD11.EXE
C:\WINDOWS\LD11.EXE
C:\DOCUMENTS AND SETTINGS\GUEST\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y0U32CIF\PP.10[1].EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CPE3G5IV\LD.11[1].EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\YRYHYRYL\PP.10[1].EXE
C:\WINDOWS\Prefetch\LD11.EXE-36999629.pf

Trojan.Dropper/Win-NV
[pp] C:\WINDOWS\PP10.EXE
C:\WINDOWS\PP10.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run #sysldtray [ C:\windows\ld11.exe ]
C:\WINDOWS\Prefetch\PP10.EXE-23F1D767.pf

Trojan.Vundo-Variant/NextGen
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{E85C18E7-C293-4424-9DD0-B31D8DB27013}
HKCR\CLSID\{E85C18E7-C293-4424-9DD0-B31D8DB27013}
HKCR\CLSID\{E85C18E7-C293-4424-9DD0-B31D8DB27013}
HKCR\CLSID\{E85C18E7-C293-4424-9DD0-B31D8DB27013}\InProcServer32
HKCR\CLSID\{E85C18E7-C293-4424-9DD0-B31D8DB27013}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IEHELPER.DLL

Trojan.Agent/Gen-Zlob
HKLM\System\ControlSet002\Services\websrvx
C:\PROGRAM FILES\WEBSRVX\WEBSRVX.EXE
HKLM\System\ControlSet002\Enum\Root\LEGACY_websrvx
HKLM\System\ControlSet003\Services\websrvx
HKLM\System\ControlSet003\Enum\Root\LEGACY_websrvx
HKLM\System\CurrentControlSet\Services\websrvx
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_web srvx
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RO_1246163602.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CPE3G5IV\WEBSRVX2[1].EXE
C:\WINDOWS\Prefetch\WEBSRVX.EXE-02568EF6.pf

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@a1.interclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@at.atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@electronicarts.112.2o 7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt

**sjb007** · #18 3rd Jul 2009, 12:02

Looks like the SAS scan found a few more items. I trust you deleted the items found?

Please run a fresh scan with combofix for me, allow it to update if prompted,keep me updated me on how your system is running now

**Mybabbits** · #19 8th Jul 2009, 08:55

Well... where to begin... the computer was doing much better until about 6 days ago when something nasty made its way in again.

I have repaired all windows files and am now running on service pack 1. Here are some of the logs that I have been able to come up with. Any ideas on where this mess is coming from would be much appreciated :) I'm having problems backing up my files or I would just wipe the system clean. Hopefully it's fixable. (Just FYI: I ran MBAM first, then SAS, then HJT. I had tried to reinstall AVG, but it was being funny so inbetween fixing it was when all of this happened.)

Malwarebytes' Anti-Malware 1.37
Database version: 2269
Windows 5.1.2600 Service Pack 1

7/7/2009 9:53:32 PM
mbam-log-2009-07-07 (21-53-32).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 69022
Time elapsed: 22 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\m sncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\m sncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\m sncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\m sncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90d8090e-3a72-a3a4-cd7d-897c92020759} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\igfxtray (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\11645064 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\mptkesomhrf lga (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\11645064 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\Owner\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\igfxtray.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\11645064\11645064 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\11645064\11645064 .exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\11645064\11645064.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\11645064\11645064.exe217 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\11645064\11645064.exe219 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\11645064\11645064.exe220 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\fdvjfx.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temp\ms1246989706.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temp\prjtd3363sggir46swsejsr32w38.log (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temp\prjtd3363sggir46swsejsr32w46.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temp\rsyncini.exe (Trojan.Shutdowner) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temp\~TM325.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temp\~TM32D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temp\~TM33C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\start menu\Programs\Startup\ihaupd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\start menu\Programs\Startup\zqosys32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\net.net.vi r (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-8089803405-0220348405-000990652-4424\wnzip32.exe (Backdoor.SdBot) -> Delete on reboot.
c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xgwp.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/08/2009 at 00:05 AM

Application Version : 4.26.1004

Core Rules Database Version : 3960
Trace Rules Database Version: 1901

Scan type : Complete Scan
Total Scan Time : 02:05:20

Memory items scanned : 215
Memory threats detected : 3
Registry items scanned : 3997
Registry threats detected : 56
File items scanned : 35182
File threats detected : 29

Trojan.Agent/Gen
C:\WINDOWS\SYSTEM32\101402829.DLL
C:\WINDOWS\SYSTEM32\101402829.DLL
SYSTEM\CurrentControlSet\Services\WinSock2\Paramet ers\Protocol_Catalog9\Catalog_Entries\000000000001
SYSTEM\CurrentControlSet\Services\WinSock2\Paramet ers\Protocol_Catalog9\Catalog_Entries\000000000015
C:\AVENGER\WNZIP32.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\883.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\936.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\XVQBYFDH.EXE

Trojan.Agent/Gen-UPX
C:\WINDOWS\FONTS\SERVICES.EXE
C:\WINDOWS\FONTS\SERVICES.EXE

Adware.Vundo/Variant-MSFake
C:\WINDOWS\SYSTEM32\MSWINSCK.OCX
C:\WINDOWS\SYSTEM32\MSWINSCK.OCX

Adware.SysGuard/FakeAlert
[LowRiskFileTypes] C:\WINDOWS\SYSGUARD.EXE
C:\WINDOWS\SYSGUARD.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSGUARD.EXE.VIR

Trojan.Downloader-Gen/Win
[ttool] C:\WINDOWS\9129837.EXE
C:\WINDOWS\9129837.EXE

Rootkit.Mailer/Gen
HKLM\System\ControlSet001\Services\4b4595df
C:\WINDOWS\SYSTEM32\DRIVERS\4B4595DF.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_4b4595d f
HKLM\System\ControlSet002\Services\4b4595df
HKLM\System\ControlSet002\Enum\Root\LEGACY_4b4595d f
HKLM\System\controlset004\Services\4b4595df
HKLM\System\controlset004\Enum\Root\LEGACY_4b4595d f
HKLM\System\CurrentControlSet\Services\4b4595df
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_4b4 595df

Trojan.Downloader-Gen
HKLM\System\ControlSet001\Services\sopidkc
C:\WINDOWS\SYSTEM32\SOPIDKC.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_sopidkc
HKLM\System\ControlSet002\Services\sopidkc
HKLM\System\ControlSet002\Enum\Root\LEGACY_sopidkc
HKLM\System\ControlSet003\Services\sopidkc
HKLM\System\ControlSet003\Enum\Root\LEGACY_sopidkc
HKLM\System\controlset004\Services\sopidkc
HKLM\System\controlset004\Enum\Root\LEGACY_sopidkc
HKLM\System\CurrentControlSet\Services\sopidkc
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_sop idkc

Trojan.Unknown Origin
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\ColdWare

Rootkit.Unclassified/KR_Done
C:\WINDOWS\system32\kr_done1

Trojan.Unclassified/Cognac
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run #Cognac [ C:\DOCUME~1\Owner\LOCALS~1\Temp\e.exe ]
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\Cognac

Trojan.Agent/Gen-SOPIDKC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOP IDKC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOP IDKC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOP IDKC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOP IDKC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOP IDKC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOP IDKC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOP IDKC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOP IDKC\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc#Typ e
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc#Sta rt
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc#Err orControl
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc#Ima gePath
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc#Dis playName
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc#Obj ectName
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc\sec urity
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc\sec urity#Security
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc\Enu m
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc\Enu m#0
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc\Enu m#Count
HKLM\SYSTEM\CurrentControlSet\Services\sopidkc\Enu m#NextInstance

Trojan.Agent/Gen-MSNCache
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSN CACHE\0000#DeviceDesc

Trojan.Hugipon
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parame ters
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parame ters#ServiceDll

Trojan.Smitfraud Variant-Gen/Bensorty
C:\AVENGER\GSF83IUJID.DLL
C:\WINDOWS\SYSTEM32\SDJEE3INF.DLL

Trojan.Agent/Gen-C15
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\BAHOU98B.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\HXHGCH.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\J1UKKBYGA9.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\OOMDVE9Z9 .EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\QOH9I.EXE

Uncategorized.Unknown Origin
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\IZOHORE.BMP

Trojan.Unclassified/MSXML71
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\MSXML71.DLL

Trojan.Dropper/SVCHost-Fake
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\SVCHOST.EXE

Trojan.Downloader-Winlogon/FAS
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\WINLOGON.EXE

Trojan.Dropper/Win-NV
C:\WINDOWS\MSA.EXE
C:\WINDOWS\MSB.EXE

Trojan.Agent/Gen-FraudDrop
C:\WINDOWS\PP10 .EXE

Rootkit.Agent/Gen-FraudLoad-F
C:\WINDOWS\SYSTEM32\TPSAXYD.EXE

Trojan.Agent/Gen-WPV
C:\WINDOWS\TEMP\WPV161245771011.EXE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:30 AM, on 7/8/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\fonts\services.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\mstdjzf.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\mscvwd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Docum ents and Settings\Owner\nswgv.exe \s,C:\Documents and Settings\Owner\lpdeni.exe \s,
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [jnikjou] C:\WINDOWS\system32\jnikjou.exe \u
O4 - HKCU\..\Run: [] C:\DOCUME~1\Owner\LOCALS~1\Temp\oomdve9z9.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Owner\LOCALS~1\Temp\oomdve9z9.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Owner\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [InetChk] C:\DOCUME~1\Owner\LOCALS~1\Temp\ms1246989706.exe work
O4 - HKCU\..\Run: [Owner] C:\Documents and Settings\Owner\Owner.exe /i
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msykv.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate1c9c119864b630) (gupdate1c9c119864b630) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4132 bytes

**evilfantasy** · #20 8th Jul 2009, 09:09

Quote:

Originally Posted by Mybabbits

Well... where to begin... the computer was doing much better until about 6 days ago when something nasty made its way in again.

You need to stick with the instructions given by sjb007 until he gives you the all clear. I know it's frustrating and you want your computer back but it can be just as frustrating for us when instructions aren't followed through and then someone comes back in even worse shape then when they left. We enjoy helping but it is work reading all of these logs.