A little over a week ago, NOD32 detected two possible trojans on my system:

3/7/2008 3:13:50 PM HTTP filter file http://muma.51ku.cn/Yahoo.htm HTML/Exploit.IframeBof trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\svchost.exe.

3/7/2008 3:13:52 PM HTTP filter file http://muma.51ku.cn/ani.asp?id=1314 a variant of Win32/TrojanDownloader.Ani.Gen trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\svchost.exe.

They were quarantined and never appeared again on any scans. However, I have noticed some suspicious behavior that makes me think they may still be around. In particular, I have woken to check my pc in the morning several times and found what appear to be open IE explorer dialog boxes, but without any IE window open. In particular, I have seen "Do wish to install Chinese characters" on multiple occasions.

My HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:41:29 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Internet Explorer\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
E:\Program Files\Juice\Juice.exe
E:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - e:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "e:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "E:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204874766041
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204874964775
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA08AF4B-FFFD-47D5-BFBD-D8713D7A7891}: NameServer = 208.180.42.100,208.180.42.68
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Any help would be much appreciated

Hello and welcome to the forum.

Sorry about the delay in responding

If you still need help, Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.


Also please describe how your computer behaves at the moment.

Logfile of HijackThis v1.99.1
Scan saved at 10:29:58 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Internet Explorer\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Juice\Juice.exe
C:\WINDOWS\system32\ntvdm.exe
E:\Program Files\SOYO\HW Monitor\Itesmart.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
e:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
E:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ELECTR~1.SCR
E:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - e:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "e:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmartGuardian] E:\Program Files\SOYO\HW Monitor\Itesmart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "E:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204874766041
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204874964775
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA08AF4B-FFFD-47D5-BFBD-D8713D7A7891}: NameServer = 208.180.42.100,208.180.42.68
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Uninstall list:
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
BLM 2.7.7
CDisplay 1.8
Craxtion4
DH Driver Cleaner.NET
ElectricSheep 2.6.6
ESET NOD32 Antivirus
FlashFXP v3
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Java™ 6 Update 5
Juice 2.2
K-Lite Mega Codec Pack 3.8.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MozBackup 1.4.7
Mozilla Firefox (2.0.0.13)
Mozilla Thunderbird (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 8
neroxml
NVIDIA Drivers
QT Lite 2.4.0
RivaTuner v2.07
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sound Blaster Live!
SOYO H/W Monitor
Spybot - Search & Destroy
UltraVNC v1.0.2
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VCRedistSetup
Ventrilo Client
Winamp
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver


As far as system behavior is concerned, basically the same activities I mentioned in the first post with IE dialog boxes appearing requesting adding new pages to favorites or downloading chinese character set. This all occurs without any instance of IE open, as I only ever use Firefox.

Also, despite not showing up for about 2 weeks, on March 25, NOD32 picked up and quarantined the trojans again.

Here's the full logs of that:
3/25/2008 1:45:57 PM HTTP filter file http://muma.51ku.cn/Yahoo.htm HTML/Exploit.IframeBof trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\svchost.exe.

3/25/2008 1:45:57 PM HTTP filter file http://muma.51ku.cn/ani.asp?id=1314 a variant of Win32/TrojanDownloader.Ani.Gen trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\svchost.exe.

3/25/2008 1:45:57 PM HTTP filter file http://muma.51ku.cn/ani.c a variant of Win32/TrojanDownloader.Ani.Gen trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\svchost.exe.

3/25/2008 1:45:56 PM HTTP filter file http://muma.51ku.cn/Yahoo.htm HTML/Exploit.IframeBof trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\svchost.exe.

3/25/2008 1:45:56 PM HTTP filter file http://muma.51ku.cn/ani.c a variant of Win32/TrojanDownloader.Ani.Gen trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\svchost.exe.

3/25/2008 1:45:55 PM HTTP filter file http://muma.51ku.cn/Yahoo.htm HTML/Exploit.IframeBof trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\svchost.exe.

Any help would be much appreciated

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back in your next reply.

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

• Save it to your Desktop.
• Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
• Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
• When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.



In your next reply post:
Report.txt
ComboFix.txt
New HijackThis log taken after the above scan has run

Report.txt:

SDFix: Version 1.162

Run by Petrie on Wed 03/26/2008 at 11:31 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\Internet Explorer\svchost.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 11:35:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="e:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:73,2c,e6,b2,47,79,90,3f,9f,c8,84,56,68,6c,6e,8e,a9,9b,b8,75,16,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,df,1e,63,fc,9e,f1,3e,73,b3,c0,e5,17,61,4b,7b,1f,01,..
"hdf12"=hex:2f,2e,24,dc,4b,91,33,b5,9d,2d,42,94,bb,fc,e5,b7,34,bd,7e,95,dc,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:22,9b,fc,ff,93,4f,8e,a2,e3,bd,50,c5,c2,0e,40,98,b0,f6,67,d0,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002]
"a0"=hex:20,01,00,00,ae,51,60,fc,c7,1f,1d,b9,5a,be,dd,6a,8f,ff,e8,bd,c3,..
"hdf12"=hex:00,ba,ff,e5,79,b7,1b,3b,52,61,44,2a,74,04,ff,40,fa,e5,0e,3c,5c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0]
"hdf12"=hex:bf,d4,b0,ab,53,ac,fd,c2,78,27,b0,70,4f,b4,68,d6,5e,91,67,9c,55,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="e:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:73,2c,e6,b2,47,79,90,3f,9f,c8,84,56,68,6c,6e,8e,a9,9b,b8,75,16,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,df,1e,63,fc,9e,f1,3e,73,b3,c0,e5,17,61,4b,7b,1f,01,..
"hdf12"=hex:2f,2e,24,dc,4b,91,33,b5,9d,2d,42,94,bb,fc,e5,b7,34,bd,7e,95,dc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:22,9b,fc,ff,93,4f,8e,a2,e3,bd,50,c5,c2,0e,40,98,b0,f6,67,d0,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002]
"a0"=hex:20,01,00,00,ae,51,60,fc,c7,1f,1d,b9,5a,be,dd,6a,8f,ff,e8,bd,c3,..
"hdf12"=hex:00,ba,ff,e5,79,b7,1b,3b,52,61,44,2a,74,04,ff,40,fa,e5,0e,3c,5c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0]
"hdf12"=hex:bf,d4,b0,ab,53,ac,fd,c2,78,27,b0,70,4f,b4,68,d6,5e,91,67,9c,55,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"E:\\Program Files\\Ventrilo\\Ventrilo.exe"="E:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo"
"C:\\Program Files\\Windows Defender\\MSASCui.exe"="C:\\Program Files\\Windows Defender\\MSASCui.exe:*:Enabled:Windows Defender"
"E:\\Program Files\\Steam\\steamapps\\epiphyte\\team fortress 2\\hl2.exe"="E:\\Program Files\\Steam\\steamapps\\epiphyte\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"E:\\Program Files\\Steam\\steamapps\\epiphyte\\half-life 2 deathmatch\\hl2.exe"="E:\\Program Files\\Steam\\steamapps\\epiphyte\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"e:\\Program Files\\FlashFXP\\FlashFXP.exe"="e:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"C:\\Program Files\\Team Craxtion\\Craxtion4\\Craxtion.exe"="C:\\Program Files\\Team Craxtion\\Craxtion4\\Craxtion.exe:*:Disabled: "
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ElectricSheep.scr"="C:\\WINDOWS\\system32\\ElectricSheep.scr:*:Enabled:ElectricSheep"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"e:\\Program Files\\FlashFXP\\FlashFXP.exe"="e:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 568 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"
Fri 7 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

Combofix.txt:
ComboFix 08-03-25.4 - Petrie 2008-03-26 11:46:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1684 [GMT -5:00]
Running from: E:\Downloads\ComboFix.exe
Command switches used :: /killall
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 11:30 . 2008-03-26 11:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-26 11:27 . 2008-03-26 11:37 <DIR> d-------- C:\SDFix
2008-03-26 10:10 . 2008-03-26 10:10 48,456 --a------ C:\WINDOWS\system32\UninstallElectricSheep.exe
2008-03-25 14:59 . 2008-03-25 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-25 14:08 . 2008-03-25 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 19:23 . 2008-03-23 19:23 <DIR> d-------- C:\Documents and Settings\Petrie\WINDOWS
2008-03-23 19:23 . 1997-11-19 15:49 303,616 --a------ C:\WINDOWS\IsUninst.exe
2008-03-23 19:23 . 1999-08-30 19:49 3,680 --a------ C:\WINDOWS\system32\drivers\Iteio.sys
2008-03-20 23:03 . 2001-08-23 07:00 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_864.nls
2008-03-20 23:01 . 2001-08-23 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-20 23:00 . 2004-08-03 23:31 716,856 --a--c--- C:\WINDOWS\system32\dllcache\imjpcus.dll
2008-03-20 22:59 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-03-20 19:20 . 2008-03-26 11:47 3,374,063 --a------ C:\WINDOWS\{00000000-00000000-0000000C-00001102-00000002-80611102}.CDF
2008-03-20 19:20 . 2008-03-26 11:47 3,374,063 --a------ C:\WINDOWS\{00000000-00000000-0000000C-00001102-00000002-80611102}.BAK
2008-03-20 00:48 . 2008-03-20 00:48 <DIR> d-------- C:\WINDOWS\Sun
2008-03-20 00:47 . 2008-03-20 00:47 <DIR> d-------- C:\Program Files\Java
2008-03-20 00:47 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-20 00:46 . 2008-03-20 00:46 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-15 10:40 . 2008-03-15 10:40 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-15 03:05 . 2008-03-26 07:18 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-14 20:30 . 2008-03-14 20:30 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-03-14 20:30 . 2008-03-14 20:30 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\Nero
2008-03-14 20:28 . 2008-03-14 20:29 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-14 20:28 . 2008-03-14 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-14 19:24 . 2008-03-14 19:24 <DIR> d-------- C:\Program Files\Team Craxtion
2008-03-14 19:13 . 2008-03-14 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FlashFXP
2008-03-14 02:06 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-03-14 02:05 . 2007-11-29 23:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-14 02:05 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-14 02:05 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-03-12 15:46 . 2008-03-12 15:46 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-12 15:44 . 2008-03-12 15:52 1,446 --a------ C:\WINDOWS\mozver.dat
2008-03-12 14:08 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-11 00:24 . 2008-03-24 17:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 00:24 . 2008-03-11 00:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 21:07 . 2008-03-13 23:04 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\Digital Red
2008-03-10 12:34 . 2008-03-10 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-10 12:34 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-10 12:34 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-09 14:03 . 2008-03-09 14:03 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-09 14:00 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-09 14:00 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-09 13:40 . 2008-03-09 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-09 13:26 . 2007-12-10 15:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-03-09 13:15 . 2008-03-09 13:39 <DIR> d-------- C:\WINDOWS\nview
2008-03-09 13:15 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-09 13:15 . 2007-12-05 02:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-09 13:15 . 2008-03-09 13:40 164,081 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-09 13:15 . 2007-12-05 02:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-08 22:39 . 2008-03-08 22:40 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\Ventrilo
2008-03-08 22:38 . 2008-03-25 14:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-07 18:51 . 2008-03-07 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-03-07 15:16 . 2008-03-07 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-03-07 15:11 . 2008-03-07 15:11 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-07 14:57 . 2008-03-07 15:17 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\DAEMON Tools Pro
2008-03-07 13:34 . 2008-03-07 13:36 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\iPodder
2008-03-07 13:14 . 2004-08-21 21:49 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-03-07 13:14 . 2004-08-21 21:49 212,240 --a------ C:\WINDOWS\system32\Richtx32.ocx
2008-03-07 13:14 . 2004-08-21 21:49 152,848 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-03-07 13:14 . 2000-10-29 18:34 150,016 --a------ C:\WINDOWS\system32\Unzip32.dll
2008-03-07 13:14 . 2004-08-21 21:49 132,880 --a------ C:\WINDOWS\system32\msinet.ocx
2008-03-07 13:14 . 2004-08-21 21:49 124,688 --a------ C:\WINDOWS\system32\mswinsck.ocx
2008-03-07 13:11 . 2008-03-07 13:11 360,064 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-03-07 12:54 . 2008-03-07 12:55 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\Winamp
2008-03-07 12:10 . 2008-03-07 12:10 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-07 12:10 . 2008-03-07 12:10 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-07 12:10 . 2008-03-07 12:10 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-07 11:58 . 2008-03-07 11:58 17 --a------ C:\WINDOWS\system32\'
2008-03-07 11:48 . 2008-03-07 11:48 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\Thunderbird
2008-03-07 11:48 . 2008-03-07 11:48 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\Talkback
2008-03-07 11:47 . 2008-03-03 15:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-03-07 11:47 . 2008-03-03 19:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-03-07 11:46 . 2008-03-07 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-07 11:32 . 2008-03-07 11:32 <DIR> d-------- C:\Program Files\uTorrent
2008-03-07 11:31 . 2008-03-26 11:43 <DIR> d-------- C:\Documents and Settings\Petrie\Application Data\uTorrent
2008-03-07 03:33 . 2008-03-07 03:33 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-07 03:23 . 2008-03-09 13:40 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-03-07 03:21 . 2008-03-07 03:21 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-07 03:15 . 2008-03-07 03:15 <DIR> d-------- C:\Program Files\MSBuild
2008-03-07 03:11 . 2008-03-07 03:36 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-07 03:11 . 2008-03-07 03:11 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-07 03:10 . 2006-06-29 14:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-07 03:08 . 2008-03-07 03:08 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-07 03:07 . 2008-03-07 03:07 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-07 03:07 . 2008-03-07 03:08 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 22:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 18:11 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-03-07 07:47 --------- d-----w C:\Documents and Settings\Petrie\Application Data\Media Player Classic
2008-03-07 07:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-07 07:28 --------- d-----w C:\Program Files\Creative
2008-03-07 07:19 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-20 17:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 17:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 17:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-18 21:21 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2008-02-18 21:21 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
.

------- Sigcheck -------

2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-03-07 13:11 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-03-07 13:11 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-03-07 11:32 219952]
"DAEMON Tools Pro Agent"="E:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [ ]
"SpybotSD TeaTimer"="e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"Jet Detection"="e:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"egui"="E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 12:06 1443072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 23:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 07:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 23:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"SmartGuardian"="E:\Program Files\SOYO\HW Monitor\Itesmart.exe" [2002-05-24 09:25 163840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"E:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"C:\\Program Files\\Windows Defender\\MSASCui.exe"=
"E:\\Program Files\\Steam\\steamapps\\epiphyte\\team fortress 2\\hl2.exe"=
"E:\\Program Files\\Steam\\steamapps\\epiphyte\\half-life 2 deathmatch\\hl2.exe"=
"e:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"C:\\Program Files\\Team Craxtion\\Craxtion4\\Craxtion.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
R3 iteio;iteio;C:\WINDOWS\system32\drivers\iteio.sys [1999-08-30 19:49]
S2 MyDNS;Window Net Dns;C:\Program Files\Internet Explorer\svchost.exe []
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 07:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 16:38:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 11:47:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-03-26 11:51:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 16:50:55
.
2008-03-25 20:43:29 --- E O F ---

Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:54, on 2008-03-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\Program Files\SOYO\HW Monitor\Itesmart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\Program Files\Hijackthis\HijackThis.exe
E:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - e:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "e:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmartGuardian] E:\Program Files\SOYO\HW Monitor\Itesmart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "E:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204874766041
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204874964775
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA08AF4B-FFFD-47D5-BFBD-D8713D7A7891}: NameServer = 208.180.42.100,208.180.42.68
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is SP2

XP Media Centre is based upon XP Professional




Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

CF_RC.txt:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Hi

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\drivers\Iteio.sys
Click Submit.
Please post the results of this scan to this thread.
Do the same for this:
C:\WINDOWS\system32\'


Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C



Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop




Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run