Help! Internet Mail is scanning emails I'm not sending

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 09:53 --------- d-----w C:\Program Files\中国建设银行
2008-02-22 11:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-22 11:47 --------- d-----w C:\Documents and Settings\TAM\Application Data\skypePM
2008-02-22 11:36 --------- d-----w C:\Program Files\Common Files\Skype
2008-02-05 09:14 --------- d-sh–w C:\Documents and Settings\All Users\Application Data\thunder_vod_cache
2008-02-05 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\vucache
2008-02-05 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Thunder Network
2008-02-05 09:12 --------- d-----w C:\Program Files\Thunder Network
2008-01-30 07:33 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-30 07:32 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-30 07:32 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-10 07:58 24,451 ----a-w C:\WINDOWS\scmctrl.dll
2007-12-31 11:56 297,984 ----a-w C:\WINDOWS\system32\msctf.dll
2007-10-16 04:54 441 ----a-w C:\Program Files\install_registry.reg.reg
2007-03-15 08:47 127,140 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_15_16_26_04_small.dmp.zip
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\15B63 ----

2008-03-22 07:16 785 --a------ C:\WINDOWS\system32\15B63\insatll.~tmp
2008-03-22 07:16 0 --a------ C:\WINDOWS\system32\15B63\incdown.txt

---- Directory of C:\WINDOWS\system32\drivers\pcihdd.sys ----

		C:\WINDOWS\system32\drivers\pcihdd.sys\360safe.\ 

------- Sigcheck -------

2007-10-31 01:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2005-05-26 03:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS$hf_mig$\KB893066\SP2GDR\tcpip.sys
2005-05-26 03:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-14 01:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS$hf_mig$\KB941644\SP2QFE\tcpip.sys
2005-05-26 03:41 339968 228b0385bbfca24332fa22db45a8b684 C:\WINDOWS$NtServicePackUninstall$\tcpip.sys
2004-08-04 14:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-03-27_ 9.23.20.61 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-03-28 00:34:52 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_530.dat
    .

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SoundMan”=“SOUNDMAN.EXE” [2003-06-20 19:55 55296 C:\WINDOWS\SOUNDMAN.EXE]
“LaunchApp”=“Alaunch”
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [2004-08-04 13:32 208952]
“IMEKRMIG6.1”=“C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE” [2003-03-31 12:00 44032]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2003-06-23 10:34 155648]
“Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [2002-07-25 04:49 151552]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-06-23 10:35 88267 C:\WINDOWS\AGRSMMSG.exe]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-01-30 15:32 185896]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 18:20 866584]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 21:00 79224]
“SpywareTerminator”=“C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” [2008-03-26 09:45 2957824]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 15:56 15360]
“ALUAlert”=“C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe”
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2005-04-25 13:45 36040]

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run_CF]
“SoundMan”=“SOUNDMAN.EXE”
“LaunchApp”=“Alaunch”
“IMJPMIG8.1”=“"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32”
“IMEKRMIG6.1”=“C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE”
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe”
“Apoint”=“C:\Program Files\Apoint2K\Apoint.exe”
“AGRSMMSG”=“AGRSMMSG.exe”
“Adobe Reader Speed Launcher”=“"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"”
“TkBellExe”=“"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot”
“advap32”=“c:\xcvhcb.exe/r”
“NvGraphicsInterface”=“C:\WINDOWS\system32\czorq.exe”
“Windows Defender”=“"C:\Program Files\Windows Defender\MSASCui.exe" -hide”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\360Disabled_CF]
“Local Security Authority Service”=“rem C:\WINDOWS\system32\Isass.exe”
“Application Layer Gateway Service”=“rem C:\WINDOWS\system32\algs.exe”

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\OptionalComponents_CF]
@=“”

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL_CF]
“Installed”=“1”
@=“”

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\OptionalComponents\MAPI_CF]
“NoChange”=“1”
“Installed”=“1”
@=“”

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\OptionalComponents\MSFS_CF]
“Installed”=“1”
@=“”

[HKEY_USERS\s-1-5-21-776561741-1078145449-854245398-1003\software\microsoft\windows\currentversion\run_CF]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BeoPlayer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BeoPlayer.lnk
backup=C:\WINDOWS\pss\BeoPlayer.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^TAM^Start Menu^Programs^Startup^Tencent QQ.lnk]
path=C:\Documents and Settings\TAM\Start Menu\Programs\Startup\Tencent QQ.lnk
backup=C:\WINDOWS\pss\Tencent QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Beoplayertray]
C:\Program Files\Bang & Olufsen\BeoPlayer\Beotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
-ra------ 2004-12-02 11:46 40960 C:\WINDOWS\VM_STI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
–a------ 2003-06-23 10:34 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
–a------ 2003-11-27 01:16 262144 C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
–a------ 2002-08-28 21:39 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
–a------ 2002-08-28 21:39 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
–a------ 2002-08-28 21:39 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2004-09-01 20:20 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Thunder]
–a------ 2008-01-15 15:42 40960 C:\Program Files\Thunder Network\Thunder\Thunder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
–a------ 2008-01-30 15:32 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\MSN Messenger\msnmsgr.exe”=
“C:\Program Files\MSN Messenger\livecall.exe”=
“C:\Program Files\TVAnts\Tvants.exe”=
“C:\Program Files\Messenger\MSMSGS.EXE”=
“C:\Program Files\Mozilla Firefox\firefox.exe”=
“C:\Program Files\Internet Explorer\iexplore.exe”=
“C:\Program Files\Real\RealPlayer\RealPlay.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
“C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe”=
“C:\WINDOWS\system32\bxix.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“16606:TCP”= 16606:TCP:BitComet 16606 TCP
“16606:UDP”= 16606:UDP:BitComet 16606 UDP
“12037:TCP”= 12037:TCP:BitComet 12037 TCP
“12037:UDP”= 12037:UDP:BitComet 12037 UDP
“25389:TCP”= 25389:TCP:BitComet 25389 TCP
“25389:UDP”= 25389:UDP:BitComet 25389 UDP

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-26 09:45]
R2 apcdli;apcdli;C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys [2008-03-03 11:21]
S2 ntptdb;ntptdb;C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys
S2 SystemLog;Windows System Event;C:\WINDOWS\TEMP\Servlee.ex
S3 aswArKrn;aswArKrn;C:\DOCUME~1\TAM\LOCALS~1\Temp\aswArKrn.sys
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2004-09-17 14:04]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2004-09-17 14:05]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2004-09-17 14:05]
S3 Symantec RemoteAssist;Symantec RemoteAssist;“C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe” [2008-01-29 16:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{000fe7b0-73a0-11db-a28d-00023f1a0857}]
\Shell\Auto\command - sxs2.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f01b2e40-46d6-11db-a212-00023f1a0857}]
\Shell\AutoRun\command - D:\mwtkwro.exe
\Shell\explore\Command - D:\mwtkwro.exe
\Shell\open\Command - D:\mwtkwro.exe

.
Contents of the ‘Scheduled Tasks’ folder
“2008-03-28 01:46:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    “2008-03-28 01:38:02 C:\WINDOWS\Tasks\Symantec NetDetect.job”
  • C:\Program Files\Symantec\LiveUpdate\NDetect.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 09:43:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SystemLog]
“ImagePath”=“C:\WINDOWS\TEMP\Servlee.ex”
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.


.
Completion time: 2008-03-28 9:46:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 01:46:36
ComboFix2.txt 2008-03-27 01:24:06
.
2008-03-26 05:14:33 — E O F —

Hi, we are gaining. There’s some folders and reg entries that may be related to 360. I’m going check that out.

What do you know about this. it’s am image of some kind on your desktop. If you placed it there that’s fine.

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/TAM/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

Let’s stat cleaning some of the loose ends up.

For norton, click this link and download and run the tool for your version.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

ZoneAlarmSB and 360free have been uninstalled via add/remove already?

Click the start button, click run, in the run box, copy and paste these lines, hitting enter after each one

sc stop SystemLog
sc delete SystemLog

We can start getting ready for the auto run infections also. I will a list of all the drives you have, including fixed drives, usb drive, phones, etc. Any type of storage device that can be plugged in. I need the drive letters also. Thanks.

Download and Install Microsoft’s TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay – except your CD/DVD drive letters

This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.

Open HJT, run a system scan only, check mark these lines if present

O23 - Service: Windows System Event (SystemLog) - Unknown owner - C:\WINDOWS\TEMP\Servlee.ex (file missing)

Close all other browsers/windows, click fix, close HJT.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\bxix.exe C:\WINDOWS\system32\resiifers.ini C:\sxs2.exe C:\WINDOWS\system32\sxs2.exe

DirLook::
C:\WINDOWS\system32\dnsq.dll
C:\WINDOWS\system32\wxptdi.sys
C:\WINDOWS\system32\fat32.sys
C:\WINDOWS\system32\drivers\usb32k.sys
C:\WINDOWS\system32\drivers\puid.sys
C:\WINDOWS\system32\drivers\phy.sys
C:\WINDOWS\system32\drivers\pcidisk.sys
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\drivers\msaclue.sys
C:\WINDOWS\system32\drivers\ati32srv.sys
C:\WINDOWS\system32\inf
C:\Program Files\mfvz

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

In your next reply, please include the answers to all the questions and the combfix log and a new HJT log.

You can attach the logs if you wish. Thanks

:smiley: yippee! I’m so glad to hear that.

OK. Here’s the info you require:

  1. Yes, the clip_image002.jpg is one I’ve placed on the desktop.
  2. Yes Zonealarm & 360Safe have already been removed via add/remove progs.
  3. Drives as follows:
    T: fixed local disk
    C: fixed local disk
    E: DVD drive
    D: erm, USB stuff usually uses this drive letter when I plug it in
    1GB flash memory stick/pen drive
    Samsung SGH-D508 mobile phone
    20GB Phillips MP3
    128MB Digital MP3

These are all the removable/plug in storage devices I use. I hope this is the info you need.

Done all the other stuff you asked me to do too.

Attached are the Combofix & HJT logs as requested.

Phew! Goodnight.

Hi, we got one file that keeps coming back. We’ll track down the source. :wink:

we have a driver to kill

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

KillAll::

File::
C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys

Rootkit::
C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys

Driver::
apcdli
ntptdb

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

It may have injected this file.

Please submit these files for analysis

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\winlogon.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

You have two folder I can’t read the names of. This is what I get in the logs. Can you please try to find them going by the time stamp?

2008-03-14 09:53 C:\Program Files\Öйú½¨ÉèÒøÐÐ
2008-03-14 17:53 C:\Program Files\Öйú½¨ÉèÒøÐÐ

And do you know what this is? It’s full of ini files

C:\Program Files\mfvz

We’ll work on the autoruns at the same time as removing some other things.

To help prevent future autorun infections.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Without any usb devices attached, we want to protect your hard drives as best we can.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn’t be one on a fixed HD anyway. There is no need for such a file on any removable storage device – iPod, USB flash drive, cell phone, .etc as you can open these drives manually.

It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.

We will do your C:, T:\ and one D:\ drive so keep track of which drive you used. Plug it in before you run the follwing program.

Download “Clean Autoruns”:From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those.

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


D:\autorun.inf
C:\mwtkwro.exe /s
D:\mwtkwro.exe /s
T:\mwtkwro.exe /s
C:\sxs2.exe /s
D:\sxs2.exe /s
T:\sxs2.exe /s
C:\WINDOWS\system32\mprmsgse.axz
C:\Program Files\Tencent
C:\Program Files\ZoneAlarmSB
C:\FOUND.000
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f01b2e40-46d6-11db-a212-00023f1a0857}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{000fe7b0-73a0-11db-a28d-00023f1a0857}

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Run flashdrive disinfector again with that drive still attached.

After reboot remove the usb drive and insert another and run this fix in OTMOVEIT2, remember in the box under the yellow bar.


D:\mwtkwro.exe /s
D:\sxs2.exe /s
D:\autorun.inf

Again run flashdrive disinfecter with the drive attached. Repeat with the last fix and flashdrive disinfecter until all D:\ storage devices are done. I know it’s a pain, but with the infection showing in D:, there’s no way of knowing whitch is infected. The drives should be protected any way.

Finally, we need to look at your system from a slightly different angle.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

.
Log required:
OTMOVEIT2 results, you can put them together on one notepad, just leave a couple of spaces so I can tell each run.
Clean Auotruns log 1&2
DSS logs
virustotal results
directory names

Thanks

oldman! I was dreaming the other night that I was in an elite group of virus hunters saving the world from a deadly computer virus… really!!

Back to reality: I think I’ve attached and covered all the things I needed to. If not it’s because my brain has been frazzled ???

C:\WINDOWS\system32\winlogon.exe
http://www.virustotal.com/analisis/ed6726c2dfa5cc59ed62fb2c333dd8ef
0/32 results

2008-03-14 09:53 C:\Program Files\Öйú½¨ÉèÒøÐÐ
2008-03-14 17:53 C:\Program Files\Öйú½¨ÉèÒøÐÐ
China Construction Bank security certificate installation – actually the folder is empty now. I can only find the 17.53 reference to it, there’s only one folder. Name is: 中国建设银行

C:\Program Files\mfvz
I have absolutely no idea what this file is!

I’ll put the 2 DSS logs in a new reply.

Awaiting the next move :slight_smile:

DSS and Combofix logs attached…

Looks like the autoruns have been taken care of. Sorry about the brain drain. I think we’re on the home stretch.

  • Can you have a look in this folder and see what this text file says?

C:\WINDOWS\system32\15B63\incdown.txt

  • If this folder is empty you can remove it.

2008-03-14 17:53:24 C:\Program Files\Öйú½¨ÉèÒøÐÐ

  • Some norton still running.

Uninstall

Symantec Technical Support Web Controls

Open task manager, click the process tab, find and end task these

ssrc.exe
ALUNotify.exe

Rerun the norton(Symantec) removal tool

  • Open HJT, run a system scan only, check mark these lines if present

O4 - HKUS\S-1-5-18..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User ‘SYSTEM’)
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

Close all other browsers/windows, click fix, close HJT.

  • Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\Program Files\mfvz
C:\Program Files\360safe

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

  • Let’s get a fresh copy of combofix. Please delete combofix from your desktop and download a new one, the carry on.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\sed.exe C:\WINDOWS\system32\mprmsgse.axz C:\Documents and Settings\TAM\Start Menu\Programs\Startup\Tencent QQ.lnk

DirLook::
C:\WINDOWS\SxsCaPendDel

Folder::
C:\WINDOWS\system32\dnsq.dll
C:\WINDOWS\system32\wxptdi.sys
C:\WINDOWS\system32\fat32.sys
C:\WINDOWS\system32\drivers\usb32k.sys
C:\WINDOWS\system32\drivers\puid.sys
C:\WINDOWS\system32\drivers\phy.sys
C:\WINDOWS\system32\drivers\pcihdd.sys
C:\WINDOWS\system32\drivers\pcidisk.sys
C:\WINDOWS\system32\drivers\pcibus.sys
C:\WINDOWS\system32\drivers\msaclue.sys
C:\WINDOWS\system32\drivers\ati32srv.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^TAM^Start Menu^Programs^Startup^Tencent QQ.lnk]

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

I will need OTMOVEIT2 results, combofix log and HJT log.

info about the text file.

Hi oldman,

C:\WINDOWS\system32\15B63\incdown.txt
This text file is empty.

Moveit Report:

[Custom Input]
< C:\Program Files\mfvz >
C:\Program Files\mfvz\piyclex moved successfully.
C:\Program Files\mfvz\ohxb\3144 moved successfully.
C:\Program Files\mfvz\ohxb\3217 moved successfully.
C:\Program Files\mfvz\ohxb moved successfully.
C:\Program Files\mfvz\piyc moved successfully.
C:\Program Files\mfvz\haqu moved successfully.
C:\Program Files\mfvz moved successfully.
< C:\Program Files\360safe >
C:\Program Files\360safe\hotfix moved successfully.
C:\Program Files\360safe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04022008_093635

One other slightly weird thing that has happened. After the last combofix and reboot, the little avast! icon has gone from my tray, and I can’t get it back. I rebooted my pc again but it hasn’t returned. I know they’re still running, but I can’t see/access the scanners. Do you know why?

OK, new HJT and Combofix logs attached too. Looking better now ? :slight_smile:

Yes, it is looking better.

Ashdisp (avast icon) does that sometimes. We didn’t remove anything related to avast.

You can try a repair of avast.

Go to add/remove programs, clik on avast. Click uninstall/remove. On the next screen,scroll down to repair. Click repair.

Reboot.

If the icon isn’t there, make a shortcut to it on your desktop. Yuo can start it from there, but you will have to do it each time you start you’re computer, We will resolve this after if the repair doesn’t cure it.(You could also add the shortcut to your start up folder, that way it will start from there.)

Open windows explorer, navigate to this folder

C:\Program Files\Alwil Software\Avast4

in the right hand panel locate ashdisp.exe . right click it and select “send to” , select " Desktop (create shortcut)"

Open HJT, run a system scan only, check mark these lines if present

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

Close all other browsers/windows, click fix, close HJT.

In Otmoveit2 remove these.

C:\WINDOWS\system32\dnsq.dll
C:\WINDOWS\system32\15B63

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\scmctrl.dll

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

I’ve got a couple of reg entries to check out and that should be it hopefully.

avast! icon is back and I’ve put the shortcut on my desktop in case it happens again, thanks.

http://www.virustotal.com/analisis/008ab1e09c0ad2c09639b5a61e1a8bff
results for C:\WINDOWS\scmctrl.dll file.

Because of the type of infection you had (file infecter), it may be possible that there are some infected file. After you finish the steps here, please go to this link and do an online scan.

http://www.kaspersky.com/virusscanner

It will only report infected files, which is good, in case we have to replace some important files. Make sure you save the log and post it in your next reply. You will have to pause/stop avast’s standard shield during the scan. Don’t forget to turn it back on again after.

I’d like to investigate that file a little more.

  • Open windows explorer

At the top of windows explorer, click tools, folder options, click the
view tab

check Display the contents of system folders
check Show hidden files and folders
uncheck “Hide extensions for known file types” box
uncheck “Hide protected operating system files” box

Click apply, click ok.

Navigate to this folder

C:\WINDOWS

Right click this file scmctrl.dll , click properties

Please post all the info you can find on all the tabs.

note: the download links are server1,server2, server3

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

  • Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run_CF]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run_CF]
[-HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\360Disabled_CF]
[-HKEY_USERS\s-1-5-21-776561741-1078145449-854245398-1003\software\microsoft\windows\currentversion\run_CF]

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”
@=“”

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“NoChange”=“1”
“Installed”=“1”
@=“”

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”
@=“”

Next you will need to create the repair registry fix, to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box, set the top box SAVE IN to DESKTOP

Then in the FILE NAME box type (including the " " marks), “fix.reg”

Click save.

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

    • Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u

  • Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

  • Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

I will “talk” to you after the scan.

Good evening oldman,

Here is the info on scmctrl.dll
Only General Properties Tab
Type: Application extension
Opens with unknown extension
Location: C:\Windows
Size: 23.8KB
Size (on disc): 32.0KB
Created: 10 January 2008 15.58.55
Modified: 10 January 2008 15.58.56
Accessed: 3 April 2008
Attributes: Archive

I attach 2 files from Kaspersky because I ran 2 scans… I think I probably doubled up the information. If it helps: K2 is the scan of all my drives. K1 is the scan of the “Critical areas”.

I also ran a scan on the memory but that was completely clean.

Also I can’t uninstall Combo-Fix using your method. :-\ perhaps I didn’t rename the file when I downloaded it the second time? I can’t remember. Anyway, windows just says it can’t find the file. Can i just delete it from my desktop, or do I need to do something special ? Sorry for the dumb question. Please advise.

I’ll await your guidance re: the Kaspersky findings… :slight_smile:

Any problems?

Well, I think we may have reached the end of the road.

One little reg fix and a possible safe mode repair.

re combofix.

Combofix was renamed according to the log. Yes you can delete it from your desktop. Also look for this folder c:\qoobox , delete the entire folder. It belongs to combofix.

This regfix is just to remove a key in your safe boot. SDFix removed the file. After the regfix, try to boot to safe mode. I will give you the link for safe mode fix just in case you need it.

Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmp37.sys]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box, set the top box SAVE IN to DESKTOP

Then in the FILE NAME box type (including the " " marks), “fix.reg”

Click save.

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Since we couldn’t determine anthing definative about C:\WINDOWS\scmctrl.dll , I think the best to do is move it to the chest for safe keeping.

Open the avast chest, click on the users button. Right click in the window and select add. In the browse box that appears, navigate to

C:\WINDOWS\scmctrl.dll

click open. That box should close. Make sure the file is in the chest, close the chest. In windows explorer, navigate to the file and delete it. If something doesn’t seem to work quite right or you recieve an error you can resore it from the chest. But make sure your safe mode is working first before you do anything with this file. It will make it easier to trouble shoot.

Since we cleaned up all ready there’s just some updates to do.

  • in add/remove program uninstall

Kav online scan
Malwarebytes’

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Are you using Zone alarm for a firewall? If not read on

  • If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0

Hi oldman,

Everything is fine. Finished off the last few steps and everything looks great. I’ll check out the firewalls threads and get one installed.

Thanks is a little word that means big things, so my very biggest thanks for all the help, speedy answers, and solutions. As much as having a virus can be a pleasure… it’s been one!! You’ve been brilliant ;D

Thanks also to Tech and CharleyO for looking in on me in the beginning.

Yiippppeeeee :smiley:

You’re welcome. Take care and keep safe.

You’re welcome. Feel free to come back any time you need help or just to change experiences 8)


Yes, you are most welcome, chinaT. We are glad to help when we can. :slight_smile:

Please come back often, learn more, and maybe help others.