I have tried...Everything. 

system · 2007-10-09T19:13:57.000Z

SORRY FOR THE LONG POST BUT YOU HAVE NO IDEA HOW MUCH I WOULD APPRECIATE IT IF YOU SPEND SOME OF YOUR TIME WITH THIS.

Hello…Professionals.

2 Weeks ago, my McAfee Security center license expired.
Like many, I look for a free alternative. Looked up top rated anti-virus software. I found Avast!
(dont worrie, this wount be my life story)
So
only a day later, Avast! detects a Trojan, it had the name Win32:???[trj] I ask it to move it to chest, , then, from there, every day I would get the same warning message over and over, different name, sometimes it would say [Morphine]/[UPX]

I scanned my computer, it found nothing, I tried aloooot of things.

after a couple of days, I got this PopUp for WinAntiVirus2007. I knew it was a scam, so I didnt even bother to read anything and I got in a state of panic “how did I get a non-browser popup…I just used my credit card 10 days ago…etc”

I added the site to the URL blocked list. … . The popup still comes of cource, around once every 5 hours…I think only when I am working on it (Perhaps it gets some of the keywords I type…?)

I did some research, turned off system restore, deleted temporary files (IE and non IE) …

Then I did the Windows Live OneCare online scan. I heared it finds things better than anything,

It found 2. I dont remember the names unfortunatly.

I “removed” them…

Next day, I am scanning my computer with Avast! and it finds the Win32…etc… Now…still in Local~/Temp

I went there, tried to delete everything, one of the .tmp files was unable to be deleted because a program is “using it”

–

Now, I just scanned my computer with the online OneCare scanner again, and it found nothing…I didnt have that popup for more than 20 hours…I finally thought it was gone…
But JUST NOW I had it!!!

Forgot to mention, I have used these programs:

[NEW means I got it after the virus was detected]

AdAware SE Free edition
SpyBot S&D
Spyware Blaster
Avast! Free Ed. (yes, updated) [Semi-New]
AVG anti-spyware 2007 - Trial [New] {detected 3 viruses, but they were in archives that were never extracted or never used}
AdAware 2007 [New]

and others that such as firefox extensions…etc

Like I said, I did some Research; I know now that every situation is a little different, and I know that for you to help me I’ll have to download some things like HiJackThis. Which is downloading now…I’ll edit this soon.

THANK YOU.

{even if you don’t help}

See Log below, too much characters

essexboy · 2007-10-09T19:20:40.000Z

I will have a look as the wife has pinched the telly and I do not have a book to read at the moment ;D

system · 2007-10-09T19:29:57.000Z

HiJackThis Log (v1.99)

The log is more than 1000 characters, so I attached it in a notepad file.

{Note: PSU is Penn State University - a week before this happened, I changed my network connection and added aset.psu.edu in order to access my University Folder. }

essexboy · 2007-10-09T19:33:19.000Z

For some reason I cannot download the file could you split it into multiple posts for me

system · 2007-10-09T19:48:24.000Z

Logfile of HijackThis v1.99.1
Scan saved at 3:19:10 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\PacSteam\Steam.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
e

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psu.edu/ouic/uport/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = N
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM..\Run: [Dell QuickSet] C:\PROGRA~1\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

system · 2007-10-09T19:48:50.000Z

essexboy · 2007-10-09T20:01:00.000Z

You have a possible Smitfraud there based on the lack of 02’s but nothing else is showing

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

If you could multi post again please

system · 2007-10-09T20:08:13.000Z

Ok. Scanning

I’ll edit this and post it and a new HiJackThis log scan.

Trojan Found:
C:\ComboFix\Cfiles.dat
Win32:Dadobra-EY [trj]

essexboy · 2007-10-09T20:18:06.000Z

C:\ComboFix\Cfiles.dat false positive this is a good file

system · 2007-10-09T20:58:18.000Z

Part1 Combo Fix - I changed my name to “Name” in all instances.

ComboFix 07-10-09.3 - Name 2007-10-09 16:34:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.436 [GMT -4:00]
Running from: C:\Documents and Settings\Name\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Name\Desktop\internet.lnk
C:\WINDOWS\msnimport.exe
C:\WINDOWS\system32\components
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak2
C:\WINDOWS\system32\wybeg.bak2
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-09 16:05 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 18:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-07 17:32 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-07 17:32 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-07 17:32 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-10-07 17:32 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-10-07 17:32 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-10-07 17:32 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-10-07 16:56 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 15:05 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 15:00 d-------- C:\Documents and Settings\Name\Application Data\Business Logic
2007-10-07 14:59 d-------- C:\Program Files\blcorp
2007-10-05 13:55 d-------- C:\WINDOWS\CCBAA1F7E5E148B29ED9A79C6A37CE78.TMP
2007-10-04 07:25 d-------- C:\Program Files\SystemRequirementsLab
2007-10-04 07:25 d-------- C:\Documents and Settings\Name\Application Data\SystemRequirementsLab
2007-10-03 23:30 d-------- C:\Program Files\Lavalys
2007-10-03 20:29 d-------- C:\Program Files\YourWare Solutions
2007-09-30 17:04 d-------- C:\Documents and Settings\Name\dwhelper
2007-09-27 23:18 d-------- C:\Program Files\Apple Software Update
2007-09-16 22:54 d-------- C:\Program Files\MSECache
2007-09-13 22:55 d-------- C:\Program Files\Webcam Simulator
2007-09-13 22:55 10,624 --a------ C:\WINDOWS\system32\drivers\vcam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 10:38 --------- d-----w C:\Program Files\Common Files\Thraex Software
2007-11-03 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
2007-11-02 21:44 --------- d-----w C:\Program Files\Alwil Software
2007-10-09 11:40 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-09 09:12 --------- d-----w C:\Program Files\ShadowScan
2007-10-09 09:12 --------- d-----w C:\Program Files\DIGStream
2007-10-09 04:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-08 23:40 --------- d-----w C:\Documents and Settings\Name\Application Data\SiteAdvisor
2007-10-07 20:56 --------- d-----w C:\Program Files\Lavasoft
2007-10-07 19:42 --------- d-----w C:\Program Files\AV Vcs 5.5
2007-10-07 18:41 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-07 10:56 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-10-07 10:56 --------- d-----w C:\Program Files\Image-Line
2007-10-06 19:29 --------- d-----w C:\Program Files\TVU Player
2007-10-05 22:14 --------- d-----w C:\Documents and Settings\Name\Application Data\WireKeys
2007-10-04 01:53 --------- d-----w C:\Program Files\PhoTags Express
2007-10-04 01:51 --------- d-----w C:\Program Files\VstPlugins
2007-10-04 01:48 --------- d-----w C:\Program Files\Microsoft Games
2007-10-04 01:47 --------- d-----w C:\Program Files\WarRock
2007-09-29 20:08 --------- d-----w C:\Program Files\Valve
2007-09-28 04:15 --------- d-----w C:\Documents and Settings\Name\Application Data\Ruckus Network
2007-09-12 00:25 --------- d-----w C:\Program Files\Ruckus Player
2007-09-08 18:49 --------- d-----w C:\Documents and Settings\Name\Application Data\dvdcss
2007-09-08 12:59 --------- d-----w C:\Program Files\SiteAdvisor
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 11:18 --------- d-----w C:\Program Files\SealedMedia
2007-09-05 11:18 --------- d-----w C:\Documents and Settings\Name\Application Data\SealedMedia
2007-08-30 05:11 --------- d-----w C:\Program Files\Folder Lock
2007-08-29 17:16 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-29 02:15 --------- d-----w C:\Program Files\BitComet
2007-08-28 22:37 --------- d-----w C:\Program Files\Covey Inc
2007-08-27 23:20 --------- d-----w C:\Program Files\Adcallscorporate
2007-08-20 16:50 --------- d-----w C:\Program Files\Total Video Converter
2007-08-18 04:21 --------- d-----w C:\Program Files\Riva
2007-08-18 04:21 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-08-13 15:50 --------- d-----w C:\Documents and Settings\Name\Application Data\vlc
2007-08-13 15:49 --------- d-----w C:\Program Files\VideoLAN
2007-08-10 22:48 --------- d-----w C:\Program Files\New Folder
2007-07-09 13:54 22 ----a-w C:\ur.dat
2007-06-18 23:31 251 ----a-w C:\Program Files\wt3d.ini
2007-03-24 12:56 8 ----a-w C:\Documents and Settings\Name\Application Data\usb.dat.bin
2006-07-23 03:20 1,974,352 ----a-w C:\Program Files\VisualBoyAdvance.exe
2006-05-23 22:51 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-10-26 23:16:37 8 --sh–r C:\WINDOWS\system32\6618C5C771.sys
2007-06-18 23:26:17 56 --sh–r C:\WINDOWS\system32\B79B2158C1.sys
2006-06-22 03:33:02 88 --sh–r C:\WINDOWS\system32\C158219BB7.sys
2007-06-18 23:26:17 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

system · 2007-10-09T20:59:16.000Z

Part2 Combofix

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-09-29 15:01]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-11-29 05:56]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2004-10-30 15:59]
“SigmatelSysTrayApp”=“stsystra.exe” [2005-09-10 00:19 C:\WINDOWS\stsystra.exe]
“ISUSPM Startup”=“C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” [2005-06-10 11:44]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2005-06-10 11:44]
“DLA”=“C:\WINDOWS\System32\DLA\DLACTRLW.EXE” [2005-09-08 06:20]
“CoolSwitch”=“C:\WINDOWS\system32\taskswitch.exe” [2002-03-19 17:30]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]
“WinPatrol”=“C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe” [2006-07-20 21:38]
“SiteAdvisor”=“C:\Program Files\SiteAdvisor\6172\SiteAdv.exe” [2006-10-02 15:09]
“Dell QuickSet”=“C:\PROGRA~1\Dell\QuickSet\quickset.exe” [2006-04-06 15:58]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-06-29 06:24]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2006-09-15 16:53]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2006-09-15 16:50]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2006-09-15 16:54]
“Broadcom Wireless Manager UI”=“C:\WINDOWS\system32\WLTRAY.exe” [2006-11-01 12:48]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 06:06]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [2007-01-19 13:54]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 06:00]
“ScreenHunter 4.0 Free”=“C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe” [2003-02-22 16:25]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-16 21:18]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t

C:\Documents and Settings\Name\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-07-20 13:57:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-26 02:42:34]
VPN Client.lnk - C:\WINDOWS\Installer{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-07-09 17:41:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoCookiesForDCFTA”=E<60

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winysd32]
winysd32.dll

R2 VCAM;Webcam Simulator;C:\WINDOWS\system32\DRIVERS\vcam.sys
R2 windrvNT;windrvNT;??\C:\WINDOWS\system32\windrvNT.sys
R3 vgadrv;vgadrv;C:\WINDOWS\system32\DRIVERS\vgadrv.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys
S3 SNDP610;Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\sndp610.sys
S4 0035991173529615mcinstcleanup;McAfee Application Installer Cleanup (0035991173529615);C:\WINDOWS\TEMP\003599~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command

.
Contents of the ‘Scheduled Tasks’ folder
“2007-10-09 17:37:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
“2007-10-05 09:59:12 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DH6M12B1-Name).job”

c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
“2007-10-09 20:50:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job”
C:\Program Files\Windows Defender\MpCmdRun.exe
.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 16:48:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

disk error: C:\WINDOWS\

.
Completion time: 2007-10-09 16:51:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-10-09 16:50
.
— E O F —

END - COMBOFIX

system · 2007-10-09T21:02:57.000Z

Begin - New HiJackThis Part 1
Logfile of HijackThis v1.99.1
Scan saved at 5:00:16 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Name\My Documents\Setup-Installers-Unzipped\hijackthis\HijackThis.exe

system · 2007-10-09T21:04:09.000Z

system · 2007-10-09T21:04:46.000Z

Part 3 New HijackThis

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mobility.up.psu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = aset.psu.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = aset.psu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = aset.psu.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winysd32 - winysd32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

END - New HiJackThis scan

system · 2007-10-09T21:21:41.000Z

Oh how I empathise. Stay strong, Zack…or “Name” as it were. Good luck!

essexboy · 2007-10-09T21:56:39.000Z

A few more to delete now that I can see them

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O20 - Winlogon Notify: winysd32 - winysd32.dll (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\ur.dat
C:\Program Files\wt3d.ini
C:\WINDOWS\SYSTEM32\winysd32.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Plus 3 files that are suspicious need to be checked out

Jotti File Submission:

[*]Please go to Jotti’s malware scan

[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

[*]C:\WINDOWS\system32\6618C5C771.sys

[*] Click on the submit button

Then repeat for the next two files

C:\WINDOWS\system32\B79B2158C1.sys
C:\WINDOWS\system32\C158219BB7.sys

[*] Please post the results in your next reply.

system · 2007-10-09T22:16:52.000Z

Sorry for the late reply.

Results for OTMoveIt
C:\ur.dat moved successfully.
C:\Program Files\wt3d.ini moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\winysd32.dll not found.

C:\WINDOWS\system32\6618C5C771.sys - Found Nothing
C:\WINDOWS\system32\B79B2158C1.sys - Found Nothing
C:\WINDOWS\system32\C158219BB7.sys - Found Nothing

You want any New logs?

Edit: How do I know if its not already gone.

essexboy · 2007-10-10T20:22:48.000Z

If your system is running OK then not unless you want to run this final deep analysis programme to remove any remnants. This one will require multiple posts again

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Announcements