Help request with spyware, virus please - Page 2

Question

jholland1964 650 Posting Expert

15 Years Ago

If you don't know how to boot to safe mode, instructions can be found
HERE

crunchie 990 Most Valuable Poster

15 Years Ago

Please run combofix one more time so that I can see if Killbox managed to delete those files.

crunchie 990 Most Valuable Poster

15 Years Ago

Please download OTMoveIt by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
D:\WINDOWS\System32\dxtmsft32.dll
d:\windows\system32\arwehdx.dll
d:\windows\system32\fxjjtlhq.dll
Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
Click the red "MoveIt!" button.
Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

crunchie 990 Most Valuable Poster

15 Years Ago

If you go to the folder that is created, have a look for the two files that were removed. Confirm that they are there, then post up a new hijackthis log please.
Looks like we got them.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

algismorales 0 Light Poster · Answer 1 · 2009-03-14T08:25:39+00:00

Hi Crunchie,
Alright, I ran through the procedure you gave me and here are the results:

For the first part of the procedure where you asked me to go to either Jotti's or VirusTotal, I entered the file to scan, and I got a sign that said:
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file."

I went through the rest of the procedure and below are the Combofix and HJT logs:

ComboFix 09-03-10.03 - Algis 2009-03-13 20:59:54.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.383.195 [GMT -5:00]
Running from: d:\documents and settings\Algis\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Algis\Desktop\CFScript.txt
* Created a new restore point
.


(((((((((((((((((((((((((   Files Created from 2009-02-14 to 2009-03-14  )))))))))))))))))))))))))))))))
.


2009-03-07 14:04 . 2009-03-07 14:03 73,728  --a------   d:\windows\system32\javacpl.cpl
2009-03-06 17:25 . 2009-03-07 14:11 <DIR>    d--------   d:\documents and settings\Algis\.housecall6.6
2009-03-06 09:55 . 2009-03-06 09:55 <DIR>    d--hs----   D:\found.000
2009-03-04 17:11 . 2009-03-04 17:11 <DIR>    d--------   d:\documents and settings\Algis\Application Data\uazmnfvl
2009-03-03 19:57 . 2008-08-14 05:11 2,189,184   -----c---   d:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 19:57 . 2008-08-14 05:09 2,145,280   -----c---   d:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 19:57 . 2008-10-15 11:34 337,408 -----c---   d:\windows\system32\dllcache\netapi32.dll
2009-03-03 19:56 . 2008-08-14 04:33 2,066,048   -----c---   d:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 19:56 . 2008-08-14 04:33 2,023,936   -----c---   d:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 19:55 . 2008-10-24 06:21 455,296 -----c---   d:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 19:55 . 2008-12-11 05:57 333,952 -----c---   d:\windows\system32\dllcache\srv.sys
2009-03-03 15:36 . 2009-03-03 15:36 <DIR>    d--------   d:\windows\system32\scripting
2009-03-03 15:36 . 2009-03-03 15:36 <DIR>    d--------   d:\windows\l2schemas
2009-03-03 15:35 . 2009-03-03 15:35 <DIR>    d--------   d:\windows\system32\en
2009-03-03 03:39 . 2009-03-03 13:06 <DIR>    d--------   d:\program files\EsetOnlineScanner
2009-03-03 03:28 . 2009-03-03 03:28 <DIR>    d--------   d:\windows\Mozilla
2009-03-02 21:20 . 2009-03-02 21:20 <DIR>    d--------   d:\program files\Malwarebytes' Anti-Malware
2009-03-02 21:20 . 2009-03-02 21:20 <DIR>    d--------   d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-03-02 21:20 <DIR>    d--------   d:\documents and settings\Algis\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-02-11 10:19 38,496  --a------   d:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 21:20 . 2009-02-11 10:19 15,504  --a------   d:\windows\system32\drivers\mbam.sys
2009-03-01 10:54 . 2009-03-01 10:54 <DIR>    d--------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl
2009-02-15 17:44 . 2008-04-13 19:12 276,992 ---------   d:\windows\system32\wmphoto.dll
2009-02-15 17:43 . 2008-04-13 19:12 712,704 ---------   d:\windows\system32\windowscodecs.dll
2009-02-15 17:43 . 2008-04-13 19:12 346,112 ---------   d:\windows\system32\windowscodecsext.dll
2009-02-15 17:43 . 2008-04-13 19:12 69,120  ---------   d:\windows\system32\wlanapi.dll
2009-02-15 17:42 . 2008-04-13 19:12 53,248  ---------   d:\windows\system32\tsgqec.dll
2009-02-15 17:42 . 2008-04-13 19:12 50,688  ---------   d:\windows\system32\tspkg.dll
2009-02-15 17:41 . 2008-04-13 19:12 32,768  ---------   d:\windows\system32\setupn.exe
2009-02-15 17:41 . 2008-04-13 13:40 10,240  ---------   d:\windows\system32\drivers\sffp_mmc.sys
2009-02-15 17:40 . 2008-04-13 19:12 412,160 ---------   d:\windows\system32\photometadatahandler.dll
2009-02-15 17:40 . 2008-04-13 19:12 291,328 ---------   d:\windows\system32\qagentrt.dll
2009-02-15 17:40 . 2008-04-13 19:12 290,304 ---------   d:\windows\system32\rhttpaa.dll
2009-02-15 17:40 . 2008-04-13 19:12 150,528 ---------   d:\windows\system32\qagent.dll
2009-02-15 17:40 . 2008-04-13 19:12 76,800  ---------   d:\windows\system32\qutil.dll
2009-02-15 17:40 . 2008-04-13 19:12 62,464  ---------   d:\windows\system32\qcliprov.dll
2009-02-15 17:40 . 2008-04-13 19:12 61,952  ---------   d:\windows\system32\rasqec.dll
2009-02-15 17:39 . 2008-04-13 19:12 144,384 ---------   d:\windows\system32\onex.dll
2009-02-15 17:38 . 2008-09-09 20:14 1,307,648   --a------   d:\windows\system32\msxml6.dll
2009-02-15 17:38 . 2008-09-09 20:14 1,307,648   -----c---   d:\windows\system32\dllcache\msxml6.dll
2009-02-15 17:38 . 2008-04-13 19:12 193,024 ---------   d:\windows\system32\napmontr.dll
2009-02-15 17:38 . 2008-04-13 19:12 176,640 ---------   d:\windows\system32\napstat.exe
2009-02-15 17:38 . 2008-04-13 12:27 79,872  ---------   d:\windows\system32\msxml6r.dll
2009-02-15 17:38 . 2008-04-13 12:27 79,872  -----c---   d:\windows\system32\dllcache\msxml6r.dll
2009-02-15 17:38 . 2008-04-13 19:12 30,208  ---------   d:\windows\system32\napipsec.dll
2009-02-15 17:37 . 2008-04-13 19:12 155,136 ---------   d:\windows\system32\mssha.dll
2009-02-15 17:37 . 2008-04-13 13:14 76,800  ---------   d:\windows\system32\msshavmsg.dll
2009-02-15 17:36 . 2008-04-13 19:11 397,312 ---------   d:\windows\system32\mmcex.dll
2009-02-15 17:36 . 2008-04-13 19:11 184,320 ---------   d:\windows\system32\microsoft.managementconsole.dll
2009-02-15 17:36 . 2008-04-13 19:11 106,496 ---------   d:\windows\system32\mmcfxcommon.dll
2009-02-15 17:36 . 2008-04-13 19:12 33,792  ---------   d:\windows\system32\mmcperf.exe
2009-02-15 17:34 . 2008-04-13 19:11 61,440  ---------   d:\windows\system32\kmsvc.dll
2009-02-15 17:34 . 2008-04-13 19:11 37,376  ---------   d:\windows\system32\l2gpstore.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144   ---------   d:\windows\system32\kbdpash.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144   ---------   d:\windows\system32\kbdnepr.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144   ---------   d:\windows\system32\kbdiultn.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144   ---------   d:\windows\system32\kbdbhc.dll
2009-02-15 17:33 . 2008-04-13 19:10 102,912 -----c---   d:\windows\system32\dllcache\dpcdll.dll
2009-02-15 17:33 . 2008-04-13 19:09 24,064  -----c---   d:\windows\system32\dllcache\pidgen.dll
2009-02-15 17:32 . 2007-06-21 00:52 974 ---------   d:\windows\system32\pid.inf
2009-02-15 17:30 . 2008-04-13 11:36 144,384 ---------   d:\windows\system32\drivers\hdaudbus.sys
2009-02-15 17:28 . 2008-04-13 19:11 59,392  ---------   d:\windows\system32\eapqec.dll
2009-02-15 17:28 . 2008-04-13 19:11 40,960  ---------   d:\windows\system32\eappprxy.dll
2009-02-15 17:28 . 2008-04-13 19:11 33,792  ---------   d:\windows\system32\eapsvc.dll
2009-02-15 17:28 . 2006-12-28 14:01 19,569  --a------   d:\windows\005995_.tmp
2009-02-15 17:27 . 2008-04-13 19:11 650,752 ---------   d:\windows\system32\dot3ui.dll
2009-02-15 17:27 . 2008-04-13 19:11 184,832 ---------   d:\windows\system32\eapp3hst.dll
2009-02-15 17:27 . 2008-04-13 19:11 180,224 ---------   d:\windows\system32\eapphost.dll
2009-02-15 17:27 . 2008-04-13 19:11 132,096 ---------   d:\windows\system32\dot3svc.dll
2009-02-15 17:27 . 2008-04-13 19:11 126,976 ---------   d:\windows\system32\eappcfg.dll
2009-02-15 17:27 . 2008-04-13 19:11 94,208  ---------   d:\windows\system32\eappgnui.dll
2009-02-15 17:27 . 2008-04-13 19:11 57,856  ---------   d:\windows\system32\dot3cfg.dll
2009-02-15 17:27 . 2008-04-13 19:11 56,320  ---------   d:\windows\system32\dot3msm.dll
2009-02-15 17:27 . 2008-04-13 19:11 39,936  ---------   d:\windows\system32\dot3gpclnt.dll
2009-02-15 17:27 . 2008-04-13 19:11 30,720  ---------   d:\windows\system32\eapolqec.dll
2009-02-15 17:27 . 2008-04-13 19:11 26,112  ---------   d:\windows\system32\dot3api.dll
2009-02-15 17:27 . 2008-04-13 19:11 9,216   ---------   d:\windows\system32\dot3dlg.dll
2009-02-15 17:26 . 2008-04-13 19:11 48,640  ---------   d:\windows\system32\dhcpqec.dll
2009-02-15 17:26 . 2008-04-13 19:11 39,936  ---------   d:\windows\system32\dimsroam.dll
2009-02-15 17:26 . 2008-04-13 19:11 19,456  ---------   d:\windows\system32\dimsntfy.dll
2009-02-15 17:26 . 2008-04-13 19:11 12,800  ---------   d:\windows\system32\credssp.dll
2009-02-15 17:24 . 2008-04-13 19:11 233,472 ---------   d:\windows\system32\azroles.dll
2009-02-15 17:24 . 2008-04-13 19:11 7,168   ---------   d:\windows\system32\bitsprx4.dll
2009-02-15 17:23 . 2008-04-13 19:11 136,192 ---------   d:\windows\system32\aaclient.dll


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 19:03    410,984 ----a-w d:\windows\system32\deploytk.dll
2009-03-07 19:03    ---------   d-----w d:\program files\Java
2009-03-05 15:51    105,472 ----a-w d:\windows\system32\cwywrgb.dll
2009-03-04 01:35    ---------   d-----w d:\program files\MSN Messenger
2009-03-03 01:52    ---------   d-----w d:\documents and settings\Algis\Application Data\Lavasoft
2009-02-14 05:03    ---------   d-----w d:\program files\LimeWire
2009-02-09 11:13    1,846,784   ----a-w d:\windows\system32\win32k.sys
2009-01-28 01:11    ---------   d-----w d:\program files\Google
2007-09-21 08:33    4,944   -c--a-w d:\program files\hijackthis.log
2007-09-21 01:45    401,720 -c--a-w d:\program files\imabunny.exe
.


((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- Directory of d:\documents and settings\Algis\Application Data\uazmnfvl ----


2009-03-04 17:11    96173   --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\xpti.dat
2009-03-04 17:11    65536   --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\cert8.db
2009-03-04 17:11    367 --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\prefs.js
2009-03-04 17:11    207 --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\compatibility.ini
2009-03-04 17:11    2048    --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\permissions.sqlite
2009-03-04 17:11    2048    --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\cookies.sqlite
2009-03-04 17:11    169 --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\localstore.rdf
2009-03-04 17:11    16384   --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\secmod.db
2009-03-04 17:11    16384   --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\key3.db
2009-03-04 17:11    131072  --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\places.sqlite
2009-03-04 17:11    127820  --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\compreg.dat
2009-03-04 17:11    111 --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\profiles.ini
2009-03-04 17:11    0   --a------   d:\documents and settings\Algis\Application Data\uazmnfvl\Profiles\fdwmpuq4.default\places.sqlite-journal


---- Directory of d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl ----


2009-03-04 15:43    2048    --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\cookies.sqlite
2009-03-04 15:23    96173   --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\xpti.dat
2009-03-04 15:23    6802    --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\pluginreg.dat
2009-03-04 15:23    367 --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\prefs.js
2009-03-04 15:23    207 --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\compatibility.ini
2009-03-04 15:23    2048    --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\webappsstore.sqlite
2009-03-04 15:23    131072  --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\places.sqlite
2009-03-04 15:23    127885  --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\compreg.dat
2009-03-04 15:23    0   --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\places.sqlite-journal
2009-03-01 10:57    65536   --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\cert8.db
2009-03-01 10:54    569 --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\localstore.rdf
2009-03-01 10:54    4096    --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\formhistory.sqlite
2009-03-01 10:54    2048    --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\permissions.sqlite
2009-03-01 10:54    16384   --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\secmod.db
2009-03-01 10:54    16384   --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\Profiles\laoi4znb.default\key3.db
2009-03-01 10:54    111 --a------   d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl\profiles.ini


---- Directory of d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvlDirLook:: ----


d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvlDirLook::\



(((((((((((((((((((((((((((((   SnapShot_2009-03-05_10.56.38.50   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 20:59:28   290,816 ----a-w d:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 20:59:28   495,616 ----a-w d:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12   262,144 ----a-w d:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16   588,392 ----a-w d:\windows\Downloaded Program Files\gatelauncher.exe
+ 2008-12-24 20:38:24   386,048 ----a-w d:\windows\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-12-05 06:54:55   144,896 -c----w d:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56   1,846,400   -c----w d:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27   1,846,784   -c----w d:\windows\system32\dllcache\win32k.sys
- 2009-03-04 00:44:57   189,792 ----a-w d:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 13:56:41   189,792 ----a-w d:\windows\system32\FNTCACHE.DAT
- 2009-02-03 18:07:51   144,792 ----a-w d:\windows\system32\java.exe
+ 2009-03-07 19:03:23   144,792 ----a-w d:\windows\system32\java.exe
- 2009-02-03 18:07:51   144,792 ----a-w d:\windows\system32\javaw.exe
+ 2009-03-07 19:03:23   144,792 ----a-w d:\windows\system32\javaw.exe
- 2009-02-03 18:07:51   148,888 ----a-w d:\windows\system32\javaws.exe
+ 2009-03-07 19:03:23   148,888 ----a-w d:\windows\system32\javaws.exe
- 2008-04-14 00:12:05   144,384 ----a-w d:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55   144,896 ----a-w d:\windows\system32\schannel.dll
- 2007-11-30 12:39:22   17,272  ------w d:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51   17,272  ------w d:\windows\system32\spmsg.dll
+ 2009-03-13 12:46:15   16,384  ----atw d:\windows\temp\Perflib_Perfdata_5e8.dat
+ 2008-04-15 17:47:33   1,724,416   ----a-w d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ADE9F68-2B65-4F0D-9B33-E070D1B5E128}]
2009-03-05 10:51    105472  --a------   d:\windows\system32\arwehdx.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="d:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"PrinTray"="d:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"Ink Monitor"="d:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2004-05-05 262210]
"EPSON Stylus C67 Series"="d:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE" [2005-01-24 98304]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"QuickTime Task"="D:\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\System32\dxtmsft32.dll


[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\WINDOWS\\system32\\BugsSvr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57034:TCP"= 57034:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"15674:TCP"= 15674:TCP:@xpsp2res.dll,-22009
"13662:TCP"= 13662:TCP:@xpsp2res.dll,-22009
"47605:TCP"= 47605:TCP:@xpsp2res.dll,-22009
"52939:TCP"= 52939:TCP:@xpsp2res.dll,-22009


R0 xuxsdlez;xuxsdlez;d:\windows\system32\drivers\xuxsdlez.sys [2001-08-30 23424]
R3 mgau;mgau;d:\windows\system32\drivers\mgaum.sys [2005-01-23 320384]
R3 QCEmerald;Logitech QuickCam Web;d:\windows\system32\drivers\OVCE.sys [2005-01-23 31872]
S3 AvFlt;Antivirus Filter Driver;d:\windows\system32\drivers\av5flt.sys --> d:\windows\system32\drivers\av5flt.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\d:\docume~1\Algis\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> d:\docume~1\Algis\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]


--- Other Services/Drivers In Memory ---


*Deregistered* - NAVAP
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
.
Contents of the 'Scheduled Tasks' folder


2009-03-14 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
IE: E&xportar a Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} - hxxp://player.bugs.co.kr/install/BugsInstall.cab
DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} - hxxp://player.bugs.co.kr/install/BugsLoader20041018.cab
DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - hxxp://64.7.220.98/downloads/pi1_20.exe
.


**************************************************************************


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 21:05:21
Windows 5.1.2600 Service Pack 3 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...



**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'winlogon.exe'(516)
d:\windows\System32\NavLogon.dll
.
Completion time: 2009-03-13 21:11:26
ComboFix-quarantined-files.txt  2009-03-14 02:10:04
ComboFix2.txt  2009-03-12 23:37:56
ComboFix3.txt  2009-03-05 16:00:27
ComboFix4.txt  2007-09-21 08:14:40


Pre-Run: 7,854,600,192 bytes free
Post-Run: 7,885,938,688 bytes free


245 --- E O F ---   2009-03-11 03:49:23


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:33 PM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal


Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - AppInit_DLLs: D:\WINDOWS\System32\dxtmsft32.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe


--
End of file - 5627 bytes

Thank you again for your help and patience Crunchies. I appreciate it!

Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 2 · 2009-03-14T08:54:26+00:00

I am just leaving work, so I will take a closer look when I get home.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2009-03-14T10:05:04+00:00

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

d:\windows\system32\kbdpash.dll
d:\windows\system32\kbdnepr.dll
d:\windows\system32\kbdiultn.dll
d:\windows\system32\kbdbhc.dll
d:\windows\system32\cwywrgb.dll

===============

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::



File::

D:\WINDOWS\System32\dxtmsft32.dll

d:\windows\system32\arwehdx.dll

d:\windows\system32\fxjjtlhq.dll



Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ADE9F68-2B65-4F0D-9B33-E070D1B5E128}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs""

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

algismorales 0 Light Poster · Answer 4 · 2009-03-15T00:32:51+00:00

Hey there Crunchie,

Thank you for the procedure.

I ran all the files on the list through Jotti as you requested, and the last one on the list was caught by AntiVir as:

FOUND TR/Drop.Softomat.AN

Here below are the Combofix and HiJackThis logs:

ComboFix 09-03-10.03 - Algis 2009-03-14 13:06:08.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.188 [GMT -5:00]
Running from: d:\documents and settings\Algis\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Algis\Desktop\CFScript.txt
* Created a new restore point

FILE ::
d:\windows\system32\arwehdx.dll
d:\windows\System32\dxtmsft32.dll
d:\windows\system32\fxjjtlhq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\arwehdx.dll . . . . failed to delete
d:\windows\system32\fxjjtlhq.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-07 14:04 . 2009-03-07 14:03 73,728 --a------ d:\windows\system32\javacpl.cpl
2009-03-06 17:25 . 2009-03-07 14:11 <DIR> d-------- d:\documents and settings\Algis\.housecall6.6
2009-03-06 09:55 . 2009-03-06 09:55 <DIR> d--hs---- D:\found.000
2009-03-04 17:11 . 2009-03-04 17:11 <DIR> d-------- d:\documents and settings\Algis\Application Data\uazmnfvl
2009-03-03 19:57 . 2008-08-14 05:11 2,189,184 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 19:57 . 2008-08-14 05:09 2,145,280 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 19:57 . 2008-10-15 11:34 337,408 -----c--- d:\windows\system32\dllcache\netapi32.dll
2009-03-03 19:56 . 2008-08-14 04:33 2,066,048 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 19:56 . 2008-08-14 04:33 2,023,936 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 19:55 . 2008-10-24 06:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 19:55 . 2008-12-11 05:57 333,952 -----c--- d:\windows\system32\dllcache\srv.sys
2009-03-03 15:36 . 2009-03-03 15:36 <DIR> d-------- d:\windows\system32\scripting
2009-03-03 15:36 . 2009-03-03 15:36 <DIR> d-------- d:\windows\l2schemas
2009-03-03 15:35 . 2009-03-03 15:35 <DIR> d-------- d:\windows\system32\en
2009-03-03 03:39 . 2009-03-03 13:06 <DIR> d-------- d:\program files\EsetOnlineScanner
2009-03-03 03:28 . 2009-03-03 03:28 <DIR> d-------- d:\windows\Mozilla
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\documents and settings\Algis\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-02-11 10:19 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 21:20 . 2009-02-11 10:19 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-03-01 10:54 . 2009-03-01 10:54 <DIR> d-------- d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl
2009-02-15 17:44 . 2008-04-13 19:12 276,992 --------- d:\windows\system32\wmphoto.dll
2009-02-15 17:43 . 2008-04-13 19:12 712,704 --------- d:\windows\system32\windowscodecs.dll
2009-02-15 17:43 . 2008-04-13 19:12 346,112 --------- d:\windows\system32\windowscodecsext.dll
2009-02-15 17:43 . 2008-04-13 19:12 69,120 --------- d:\windows\system32\wlanapi.dll
2009-02-15 17:42 . 2008-04-13 19:12 53,248 --------- d:\windows\system32\tsgqec.dll
2009-02-15 17:42 . 2008-04-13 19:12 50,688 --------- d:\windows\system32\tspkg.dll
2009-02-15 17:41 . 2008-04-13 19:12 32,768 --------- d:\windows\system32\setupn.exe
2009-02-15 17:41 . 2008-04-13 13:40 10,240 --------- d:\windows\system32\drivers\sffp_mmc.sys
2009-02-15 17:40 . 2008-04-13 19:12 412,160 --------- d:\windows\system32\photometadatahandler.dll
2009-02-15 17:40 . 2008-04-13 19:12 291,328 --------- d:\windows\system32\qagentrt.dll
2009-02-15 17:40 . 2008-04-13 19:12 290,304 --------- d:\windows\system32\rhttpaa.dll
2009-02-15 17:40 . 2008-04-13 19:12 150,528 --------- d:\windows\system32\qagent.dll
2009-02-15 17:40 . 2008-04-13 19:12 76,800 --------- d:\windows\system32\qutil.dll
2009-02-15 17:40 . 2008-04-13 19:12 62,464 --------- d:\windows\system32\qcliprov.dll
2009-02-15 17:40 . 2008-04-13 19:12 61,952 --------- d:\windows\system32\rasqec.dll
2009-02-15 17:39 . 2008-04-13 19:12 144,384 --------- d:\windows\system32\onex.dll
2009-02-15 17:38 . 2008-09-09 20:14 1,307,648 --a------ d:\windows\system32\msxml6.dll
2009-02-15 17:38 . 2008-09-09 20:14 1,307,648 -----c--- d:\windows\system32\dllcache\msxml6.dll
2009-02-15 17:38 . 2008-04-13 19:12 193,024 --------- d:\windows\system32\napmontr.dll
2009-02-15 17:38 . 2008-04-13 19:12 176,640 --------- d:\windows\system32\napstat.exe
2009-02-15 17:38 . 2008-04-13 12:27 79,872 --------- d:\windows\system32\msxml6r.dll
2009-02-15 17:38 . 2008-04-13 12:27 79,872 -----c--- d:\windows\system32\dllcache\msxml6r.dll
2009-02-15 17:38 . 2008-04-13 19:12 30,208 --------- d:\windows\system32\napipsec.dll
2009-02-15 17:37 . 2008-04-13 19:12 155,136 --------- d:\windows\system32\mssha.dll
2009-02-15 17:37 . 2008-04-13 13:14 76,800 --------- d:\windows\system32\msshavmsg.dll
2009-02-15 17:36 . 2008-04-13 19:11 397,312 --------- d:\windows\system32\mmcex.dll
2009-02-15 17:36 . 2008-04-13 19:11 184,320 --------- d:\windows\system32\microsoft.managementconsole.dll
2009-02-15 17:36 . 2008-04-13 19:11 106,496 --------- d:\windows\system32\mmcfxcommon.dll
2009-02-15 17:36 . 2008-04-13 19:12 33,792 --------- d:\windows\system32\mmcperf.exe
2009-02-15 17:34 . 2008-04-13 19:11 61,440 --------- d:\windows\system32\kmsvc.dll
2009-02-15 17:34 . 2008-04-13 19:11 37,376 --------- d:\windows\system32\l2gpstore.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144 --------- d:\windows\system32\kbdpash.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144 --------- d:\windows\system32\kbdnepr.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144 --------- d:\windows\system32\kbdiultn.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144 --------- d:\windows\system32\kbdbhc.dll
2009-02-15 17:33 . 2008-04-13 19:10 102,912 -----c--- d:\windows\system32\dllcache\dpcdll.dll
2009-02-15 17:33 . 2008-04-13 19:09 24,064 -----c--- d:\windows\system32\dllcache\pidgen.dll
2009-02-15 17:32 . 2007-06-21 00:52 974 --------- d:\windows\system32\pid.inf
2009-02-15 17:30 . 2008-04-13 11:36 144,384 --------- d:\windows\system32\drivers\hdaudbus.sys
2009-02-15 17:28 . 2008-04-13 19:11 59,392 --------- d:\windows\system32\eapqec.dll
2009-02-15 17:28 . 2008-04-13 19:11 40,960 --------- d:\windows\system32\eappprxy.dll
2009-02-15 17:28 . 2008-04-13 19:11 33,792 --------- d:\windows\system32\eapsvc.dll
2009-02-15 17:28 . 2006-12-28 14:01 19,569 --a------ d:\windows\005995_.tmp
2009-02-15 17:27 . 2008-04-13 19:11 650,752 --------- d:\windows\system32\dot3ui.dll
2009-02-15 17:27 . 2008-04-13 19:11 184,832 --------- d:\windows\system32\eapp3hst.dll
2009-02-15 17:27 . 2008-04-13 19:11 180,224 --------- d:\windows\system32\eapphost.dll
2009-02-15 17:27 . 2008-04-13 19:11 132,096 --------- d:\windows\system32\dot3svc.dll
2009-02-15 17:27 . 2008-04-13 19:11 126,976 --------- d:\windows\system32\eappcfg.dll
2009-02-15 17:27 . 2008-04-13 19:11 94,208 --------- d:\windows\system32\eappgnui.dll
2009-02-15 17:27 . 2008-04-13 19:11 57,856 --------- d:\windows\system32\dot3cfg.dll
2009-02-15 17:27 . 2008-04-13 19:11 56,320 --------- d:\windows\system32\dot3msm.dll
2009-02-15 17:27 . 2008-04-13 19:11 39,936 --------- d:\windows\system32\dot3gpclnt.dll
2009-02-15 17:27 . 2008-04-13 19:11 30,720 --------- d:\windows\system32\eapolqec.dll
2009-02-15 17:27 . 2008-04-13 19:11 26,112 --------- d:\windows\system32\dot3api.dll
2009-02-15 17:27 . 2008-04-13 19:11 9,216 --------- d:\windows\system32\dot3dlg.dll
2009-02-15 17:26 . 2008-04-13 19:11 48,640 --------- d:\windows\system32\dhcpqec.dll
2009-02-15 17:26 . 2008-04-13 19:11 39,936 --------- d:\windows\system32\dimsroam.dll
2009-02-15 17:26 . 2008-04-13 19:11 19,456 --------- d:\windows\system32\dimsntfy.dll
2009-02-15 17:26 . 2008-04-13 19:11 12,800 --------- d:\windows\system32\credssp.dll
2009-02-15 17:24 . 2008-04-13 19:11 233,472 --------- d:\windows\system32\azroles.dll
2009-02-15 17:24 . 2008-04-13 19:11 7,168 --------- d:\windows\system32\bitsprx4.dll
2009-02-15 17:23 . 2008-04-13 19:11 136,192 --------- d:\windows\system32\aaclient.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 19:03 --------- d-----w d:\program files\Java
2009-03-04 01:35 --------- d-----w d:\program files\MSN Messenger
2009-03-03 01:52 --------- d-----w d:\documents and settings\Algis\Application Data\Lavasoft
2009-02-14 05:03 --------- d-----w d:\program files\LimeWire
2009-01-28 01:11 --------- d-----w d:\program files\Google
2007-09-21 08:33 4,944 -c--a-w d:\program files\hijackthis.log
2007-09-21 01:45 401,720 -c--a-w d:\program files\imabunny.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-03-05_10.56.38.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 20:59:28 290,816 ----a-w d:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 20:59:28 495,616 ----a-w d:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w d:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w d:\windows\Downloaded Program Files\gatelauncher.exe
+ 2008-12-24 20:38:24 386,048 ----a-w d:\windows\Downloaded Program Files\Housecall_ActiveX.dll
- 2009-02-03 18:07:48 410,984 ----a-w d:\windows\system32\deploytk.dll
+ 2009-03-07 19:03:21 410,984 ----a-w d:\windows\system32\deploytk.dll
+ 2008-12-05 06:54:55 144,896 -c----w d:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w d:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w d:\windows\system32\dllcache\win32k.sys
- 2009-03-04 00:44:57 189,792 ----a-w d:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 13:56:41 189,792 ----a-w d:\windows\system32\FNTCACHE.DAT
- 2009-02-03 18:07:51 144,792 ----a-w d:\windows\system32\java.exe
+ 2009-03-07 19:03:23 144,792 ----a-w d:\windows\system32\java.exe
- 2009-02-03 18:07:51 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2009-03-07 19:03:23 144,792 ----a-w d:\windows\system32\javaw.exe
- 2009-02-03 18:07:51 148,888 ----a-w d:\windows\system32\javaws.exe
+ 2009-03-07 19:03:23 148,888 ----a-w d:\windows\system32\javaws.exe
- 2008-04-14 00:12:05 144,384 ----a-w d:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w d:\windows\system32\schannel.dll
- 2007-11-30 12:39:22 17,272 ------w d:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w d:\windows\system32\spmsg.dll
- 2008-09-15 12:12:56 1,846,400 ----a-w d:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w d:\windows\system32\win32k.sys
+ 2009-03-14 18:12:53 16,384 ----atw d:\windows\temp\Perflib_Perfdata_590.dat
+ 2008-04-15 17:47:33 1,724,416 ----a-w d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ADE9F68-2B65-4F0D-9B33-E070D1B5E128}]
2009-03-05 10:51 105472 --a------ d:\windows\system32\arwehdx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="d:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"PrinTray"="d:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"Ink Monitor"="d:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2004-05-05 262210]
"EPSON Stylus C67 Series"="d:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE" [2005-01-24 98304]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"QuickTime Task"="D:\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\System32\dxtmsft32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\WINDOWS\\system32\\BugsSvr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57034:TCP"= 57034:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"15674:TCP"= 15674:TCP:@xpsp2res.dll,-22009
"13662:TCP"= 13662:TCP:@xpsp2res.dll,-22009
"47605:TCP"= 47605:TCP:@xpsp2res.dll,-22009
"52939:TCP"= 52939:TCP:@xpsp2res.dll,-22009

R0 xuxsdlez;xuxsdlez;d:\windows\system32\drivers\xuxsdlez.sys [2001-08-30 23424]
R3 mgau;mgau;d:\windows\system32\drivers\mgaum.sys [2005-01-23 320384]
R3 QCEmerald;Logitech QuickCam Web;d:\windows\system32\drivers\OVCE.sys [2005-01-23 31872]
S3 AvFlt;Antivirus Filter Driver;d:\windows\system32\drivers\av5flt.sys --> d:\windows\system32\drivers\av5flt.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\d:\docume~1\Algis\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> d:\docume~1\Algis\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
IE: E&xportar a Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} - hxxp://player.bugs.co.kr/install/BugsInstall.cab
DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} - hxxp://player.bugs.co.kr/install/BugsLoader20041018.cab
DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - hxxp://64.7.220.98/downloads/pi1_20.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 13:13:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
d:\windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\LexBceS.exe
d:\windows\system32\Lexpps.exe
d:\program files\NavNT\defwatch.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\NavNT\rtvscan.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\MSGSYS.EXE
d:\windows\system32\WgaTray.exe
d:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-14 13:22:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 18:21:29
ComboFix2.txt 2009-03-14 02:11:31
ComboFix3.txt 2009-03-12 23:37:56
ComboFix4.txt 2009-03-05 16:00:27
ComboFix5.txt 2009-03-14 18:03:57

Pre-Run: 7,990,398,976 bytes free
Post-Run: 8,008,728,576 bytes free

231 --- E O F --- 2009-03-11 03:49:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:28 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - AppInit_DLLs: D:\WINDOWS\System32\dxtmsft32.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 5660 bytes

Thank you Crunchie,

Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 5 · 2009-03-15T06:11:04+00:00

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator privileges.

[*]Open the Avenger folder and double click Avenger.exe to launch the programme.
[*]Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
d:\windows\system32\cwywrgb.dll
d:\windows\system32\arwehdx.dll
d:\windows\system32\fxjjtlhq.dll

Note: the above code was created specifically for this user. If you are not this user, do

NOT follow these directions as they could damage the workings of your system.

[*]Ensure the following:

Scan for Rootkits is checked.
Automatically disable any rootkits found is Unchecked.

[*]Press the Execute key.
[*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
[*]Post the log back here please. (it can also be found at C:\avenger.txt)

algismorales 0 Light Poster · Answer 6 · 2009-03-15T06:55:39+00:00

Hi Crunchie,
Here is the Avenger log you requested.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not open file "d:\windows\system32\cwywrgb.dll"
Deletion of file "d:\windows\system32\cwywrgb.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Error: could not open file "d:\windows\system32\arwehdx.dll"
Deletion of file "d:\windows\system32\arwehdx.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Error: could not open file "d:\windows\system32\fxjjtlhq.dll"
Deletion of file "d:\windows\system32\fxjjtlhq.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

Thank you.

Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2009-03-15T07:00:59+00:00

Slippery little suckers.

Download Killbox v 2.0.0.175 and unzip the file to your Desktop and have it ready to use.

-

Save all the below files to a text document (notepad) to be used shortly.

d:\windows\system32\cwywrgb.dll
d:\windows\system32\arwehdx.dll
d:\windows\system32\fxjjtlhq.dll

-

Reboot into safe mode following the instructions here.

Open the text file you saved previously and left click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

algismorales 0 Light Poster · Answer 8 · 2009-03-15T11:00:28+00:00

Hi Crunchie,

Alright. Looking forward to following the procedure you sent me, except that I have no clue as to the link you sent me regarding rebooting to safe mode. The link sends me to this website,

http://www.telecom.co.nz/help/content/0,10709,205864-1000,00.html

I have no clue what this website is for. It doesn't provide any instructions. Am I misunderstanding something? I know how to reboot to safe mode the usual way though.

Thanks Crunchie

Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2009-03-15T14:35:42+00:00

Been a while since that canned was created. Obviously something has changed in the meantime.
Just boot into safe mode and follow the rest of the instructions :)

algismorales 0 Light Poster · Answer 10 · 2009-03-15T23:56:27+00:00

Hi jholland, hi Crunchie,

Thank you for the help.
I went into Safe Mode and ran the procedure you requested.
After verifying on the tab that the 3 files you identified as malware were all in there, I checked the "Delete on Reboot" box and clicked on the red X. I got the "file will be deleted on next reboot! Process and Reboot now?" message, I clicked yes, and then I got a message that said the following:

Pending Filename Rename Operations Registry Data has been removed by External Process!

I clicked OK and waited for the reboot, but all that happened was that the computer just remained idle. In other words, the box that contained the options to check, just showed the Single File option blinking in green. I didn't see a log being prepared nor can I find it.

Is the log located somewhere else in my computer so I can post it for you? Or did you mean another HiJackThis log?

Thank you guys,
Algis

algismorales 0 Light Poster · Answer 11 · 2009-03-16T00:17:58+00:00

Hi Crunchie,
Here is a new HiJackThis log below, in case this is the log you requested after running killbox.

Thanks again!
Algis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:03 PM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - AppInit_DLLs: D:\WINDOWS\System32\dxtmsft32.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 5644 bytes

algismorales 0 Light Poster · Answer 12 · 2009-03-16T12:23:49+00:00

Hi Crunchie,
I hope you had a good weekend.

Here is the Combofix log you requested, followed by the HiJackThis log:

ComboFix 09-03-15.01 - Algis 2009-03-16 1:07:14.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.185 [GMT -5:00]
Running from: d:\documents and settings\Algis\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-15 12:33 . 2009-03-15 12:35 <DIR> d-------- D:\!KillBox
2009-03-07 14:04 . 2009-03-07 14:03 73,728 --a------ d:\windows\system32\javacpl.cpl
2009-03-06 17:25 . 2009-03-07 14:11 <DIR> d-------- d:\documents and settings\Algis\.housecall6.6
2009-03-06 09:55 . 2009-03-06 09:55 <DIR> d--hs---- D:\found.000
2009-03-04 17:11 . 2009-03-04 17:11 <DIR> d-------- d:\documents and settings\Algis\Application Data\uazmnfvl
2009-03-03 19:57 . 2008-08-14 05:11 2,189,184 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 19:57 . 2008-08-14 05:09 2,145,280 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 19:57 . 2008-10-15 11:34 337,408 -----c--- d:\windows\system32\dllcache\netapi32.dll
2009-03-03 19:56 . 2008-08-14 04:33 2,066,048 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 19:56 . 2008-08-14 04:33 2,023,936 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 19:55 . 2008-10-24 06:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 19:55 . 2008-12-11 05:57 333,952 -----c--- d:\windows\system32\dllcache\srv.sys
2009-03-03 15:36 . 2009-03-03 15:36 <DIR> d-------- d:\windows\system32\scripting
2009-03-03 15:36 . 2009-03-03 15:36 <DIR> d-------- d:\windows\l2schemas
2009-03-03 15:35 . 2009-03-03 15:35 <DIR> d-------- d:\windows\system32\en
2009-03-03 03:39 . 2009-03-03 13:06 <DIR> d-------- d:\program files\EsetOnlineScanner
2009-03-03 03:28 . 2009-03-03 03:28 <DIR> d-------- d:\windows\Mozilla
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\documents and settings\Algis\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-02-11 10:19 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 21:20 . 2009-02-11 10:19 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-03-01 10:54 . 2009-03-01 10:54 <DIR> d-------- d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 19:03 410,984 ----a-w d:\windows\system32\deploytk.dll
2009-03-07 19:03 --------- d-----w d:\program files\Java
2009-03-05 15:51 105,472 ----a-w d:\windows\system32\cwywrgb.dll
2009-03-04 01:35 --------- d-----w d:\program files\MSN Messenger
2009-03-03 01:52 --------- d-----w d:\documents and settings\Algis\Application Data\Lavasoft
2009-02-14 05:03 --------- d-----w d:\program files\LimeWire
2009-02-09 11:13 1,846,784 ----a-w d:\windows\system32\win32k.sys
2009-01-28 01:11 --------- d-----w d:\program files\Google
2007-09-21 08:33 4,944 -c--a-w d:\program files\hijackthis.log
2007-09-21 01:45 401,720 -c--a-w d:\program files\imabunny.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-03-05_10.56.38.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 20:59:28 290,816 ----a-w d:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 20:59:28 495,616 ----a-w d:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w d:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w d:\windows\Downloaded Program Files\gatelauncher.exe
+ 2008-12-24 20:38:24 386,048 ----a-w d:\windows\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-12-05 06:54:55 144,896 -c----w d:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w d:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w d:\windows\system32\dllcache\win32k.sys
- 2009-03-04 00:44:57 189,792 ----a-w d:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 13:56:41 189,792 ----a-w d:\windows\system32\FNTCACHE.DAT
- 2009-02-03 18:07:51 144,792 ----a-w d:\windows\system32\java.exe
+ 2009-03-07 19:03:23 144,792 ----a-w d:\windows\system32\java.exe
- 2009-02-03 18:07:51 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2009-03-07 19:03:23 144,792 ----a-w d:\windows\system32\javaw.exe
- 2009-02-03 18:07:51 148,888 ----a-w d:\windows\system32\javaws.exe
+ 2009-03-07 19:03:23 148,888 ----a-w d:\windows\system32\javaws.exe
- 2008-04-14 00:12:05 144,384 ----a-w d:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w d:\windows\system32\schannel.dll
- 2007-11-30 12:39:22 17,272 ------w d:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w d:\windows\system32\spmsg.dll
+ 2009-03-15 17:42:52 16,384 ----atw d:\windows\temp\Perflib_Perfdata_6c8.dat
+ 2008-04-15 17:47:33 1,724,416 ----a-w d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ADE9F68-2B65-4F0D-9B33-E070D1B5E128}]
2009-03-05 10:51 105472 --a------ d:\windows\system32\arwehdx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="d:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"PrinTray"="d:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"Ink Monitor"="d:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2004-05-05 262210]
"EPSON Stylus C67 Series"="d:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE" [2005-01-24 98304]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"QuickTime Task"="D:\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\System32\dxtmsft32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\WINDOWS\\system32\\BugsSvr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57034:TCP"= 57034:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"15674:TCP"= 15674:TCP:@xpsp2res.dll,-22009
"13662:TCP"= 13662:TCP:@xpsp2res.dll,-22009
"47605:TCP"= 47605:TCP:@xpsp2res.dll,-22009
"52939:TCP"= 52939:TCP:@xpsp2res.dll,-22009

R0 xuxsdlez;xuxsdlez;d:\windows\system32\drivers\xuxsdlez.sys [2001-08-30 23424]
R3 mgau;mgau;d:\windows\system32\drivers\mgaum.sys [2005-01-23 320384]
R3 QCEmerald;Logitech QuickCam Web;d:\windows\system32\drivers\OVCE.sys [2005-01-23 31872]
S3 AvFlt;Antivirus Filter Driver;d:\windows\system32\drivers\av5flt.sys --> d:\windows\system32\drivers\av5flt.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\d:\docume~1\Algis\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> d:\docume~1\Algis\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - NAVAP
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
IE: E&xportar a Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} - hxxp://player.bugs.co.kr/install/BugsInstall.cab
DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} - hxxp://player.bugs.co.kr/install/BugsLoader20041018.cab
DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - hxxp://64.7.220.98/downloads/pi1_20.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 01:12:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
d:\windows\System32\NavLogon.dll
.
Completion time: 2009-03-16 1:18:35
ComboFix-quarantined-files.txt 2009-03-16 06:17:14
ComboFix2.txt 2009-03-14 18:22:54
ComboFix3.txt 2009-03-14 02:11:31
ComboFix4.txt 2009-03-12 23:37:56
ComboFix5.txt 2009-03-16 06:05:18

Pre-Run: 7,964,876,800 bytes free
Post-Run: 7,958,302,720 bytes free

149 --- E O F --- 2009-03-11 03:49:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:56 AM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\MSN Messenger\usnsvc.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - AppInit_DLLs: D:\WINDOWS\System32\dxtmsft32.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 5637 bytes

Thanks again

Algis

username333 0 Newbie Poster · Answer 13 · 2009-03-17T00:20:20+00:00

i suggest you to reformat your computer and don't forget to back up all important files. I recommend you to install REGISTRY and SPYWARE software . And i recommend you to install AVAST ANTI VIRUS as well.

Hope this could help you.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 14 · 2009-03-17T00:45:42+00:00

i suggest you to reformat your computer and don't forget to back up all important files. I recommend you to install REGISTRY and SPYWARE software . And i recommend you to install AVAST ANTI VIRUS as well.
Hope this could help you.

algismorales,
Crunchie has not given you this advice so continue with HIS instructions and ignore the above.
Judy

algismorales 0 Light Poster · Answer 15 · 2009-03-17T01:15:53+00:00

Hi Crunchie,
Thanks for the reply. I clicked on the link to OTMoveIt you sent but the page is not found. Is there another link you can send me please to download OTMoveIt?

Thank you Crunchie!

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 16 · 2009-03-17T01:28:32+00:00

Hi Crunchie,
Thanks for the reply. I clicked on the link to OTMoveIt you sent but the page is not found. Is there another link you can send me please to download OTMoveIt?
Thank you Crunchie!

It appears this is no longer available. Crunchie will get back with you ASAP. Just hang it there.
Judy

algismorales 0 Light Poster · Answer 17 · 2009-03-17T01:48:37+00:00

algismorales 0 Light Poster

15 Years Ago

You're awesome Judy, thank you!

Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 18 · 2009-03-17T01:49:12+00:00

crunchie 990 Most Valuable Poster

15 Years Ago

Sorry about that. http://oldtimer.geekstogo.com/OTMoveIt3.exe

algismorales 0 Light Poster · Answer 19 · 2009-03-17T22:39:05+00:00

Hi Crunchie,
Thank you for the new link to OTMoveIt. I ran it like you requested, and the log is below:

Error: Unable to interpret <D:\WINDOWS\System32\dxtmsft32.dll> in the current context!
Error: Unable to interpret <d:\windows\system32\arwehdx.dll> in the current context!
Error: Unable to interpret <d:\windows\system32\fxjjtlhq.dll> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03172009_112923

Thank you Crunchie,
Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 20 · 2009-03-18T01:36:22+00:00

Try it like this;

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
:Files
D:\WINDOWS\System32\dxtmsft32.dll
d:\windows\system32\arwehdx.dll
d:\windows\system32\fxjjtlhq.dll
Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
Click the red "MoveIt!" button.
Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

algismorales 0 Light Poster · Answer 21 · 2009-03-18T02:31:58+00:00

Hi there Crunchie,

It seems like I get the same result again, even with the procedure you posted above. Am I screwing something up?

Here is the log:

Error: Unable to interpret <D:\WINDOWS\System32\dxtmsft32.dll> in the current context!
Error: Unable to interpret <d:\windows\system32\arwehdx.dll> in the current context!
Error: Unable to interpret <d:\windows\system32\fxjjtlhq.dll> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03172009_152319

Thank you Crunchie

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 22 · 2009-03-18T16:23:51+00:00

It could be me. I am not yet familiar with the working of this tool. I only know that it is pretty good :). (If we can get it working :D)

==

Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
Copy the fix below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:processes
explorer.exe

:files
d:\WINDOWS\System32\dxtmsft32.dll
d:\windows\system32\arwehdx.dll
d:\windows\system32\fxjjtlhq.dll

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt3

algismorales 0 Light Poster · Answer 23 · 2009-03-18T21:56:30+00:00

Hi Crunchie,

I'm definitely sure it's NOT you.
Alright then, I followed the procedure you posted and here is the log that was produced. The log is always produced in the D drive, however.

Here it is:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder d:\WINDOWS\System32\dxtmsft32.dll not found.
LoadLibrary failed for d:\windows\system32\arwehdx.dll
d:\windows\system32\arwehdx.dll NOT unregistered.
File move failed. d:\windows\system32\arwehdx.dll scheduled to be moved on reboot.
LoadLibrary failed for d:\windows\system32\fxjjtlhq.dll
d:\windows\system32\fxjjtlhq.dll NOT unregistered.
File move failed. d:\windows\system32\fxjjtlhq.dll scheduled to be moved on reboot.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03182009_104502

It sure looks like two of the files were moved on reboot.

Thank you Crunchie

algismorales 0 Light Poster · Answer 24 · 2009-03-19T02:30:44+00:00

Hi there Crunchie,
I am not quite sure if I'm looking at the file you have mentioned, but in the same location where the logs are for the OTMoveIt, are some files, one which was created at the same time that I ran OTMoveThis this morning and with the same date/time stamp as the log that was created. However, when I click on that file, it opens up a file that says "windows", and after clicking on that, another saying "system32" shows up. After opening this one, nothing shows up.

Should I still go ahead and post the HiJackThis log?

Thank you Crunchie!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 25 · 2009-03-19T09:32:28+00:00

Yes please. Given that information you posted, run MBA-M, update it and do another scan. Post it's log too.

algismorales 0 Light Poster · Answer 26 · 2009-03-20T01:59:35+00:00

Crunchie, hi!

I can't believe it's friday....again.

I ran the MBA-M again, and surprise surprise, it didn't take 10-11 hours to scan like the last 4 or 5 times I've had to run it when we both you and jholland started helping me out. It only took just about 2 hours this time. Wow!

Here are the MBA-M and HiJackThis logs (after rebooting).

Malwarebytes' Anti-Malware 1.34
Database version: 1871
Windows 5.1.2600 Service Pack 3

3/19/2009 2:26:53 PM
mbam-log-2009-03-19 (14-26-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 148142
Time elapsed: 2 hour(s), 8 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\WINDOWS\system32\arwehdx.dll (Trojan.BHO.H) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:42 PM, on 3/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 5539 bytes

You and jholland are the BEST!

Thanks Crunchie