Over the last few days I downloaded quite a few files, only to scan them (virscan and/or jotti), and subsequently delete them because of the carp** they were laced with. Not a single file was ever opened or run on my computer. I have not noticed any performance issues, but Kaspersky and Ad-Aware tell me I have something to worry about. Below is the HijackThis log, along with a screen shot of what Kaspersky and Ad-Aware turned up. Any help would be greatly appreciated. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:21 PM, on 8/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.update.microsoft.com/microsoftu...t.aspx?ln=en-us
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199177786796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215151278834
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3831 bytes


http://img398.imageshack.us/img398/217/viruznd8.jpg

Welcome fujikaka

I will be helping you under the guidance of one of our expert coaches.
Please give me a little time to get back to you with instructions.

In the meantime please note the following:

• Any recommendations made are for your computer problems only and should NOT be used on any other computer.
• Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
  1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
  2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
• If you get stuck or are unsure of something please ask for a further explanation, do not guess.
• Continue to respond to this thread until I give you the All Clean!

Please Note: My instructions to you are checked by an expert prior to posting. This may cause a small delay between posts.
Thanks
John

Create an Uninstall List

• Start HijackThis
• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button
• Click on the Save list... button and specify where you would like to save this file
• When you press the Save button a notepad will open with the contents of that file
• Copy and paste the contents of that notepad here in your next reply

Thank you for the reply. Before I post the uninstall log, I'd like to inform you that NOTHING turns on when running Spybot or Kaspersky in safe mode. I would run Ad-Aware, as that is what shows the most malware, but there are known compatibility issues when running in safe mode (simply doesn't work). Here is the log - again, thank you for helping.

Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Apple Software Update
Aspell English Dictionary-0.50-2
CCleaner (remove only)
Condition Zero
Counter-Strike
foobar2000 v0.9.5.4
GNU Aspell 0.50-3
GTK+ Runtime 2.12.8 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iTunes
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
Microsoft .NET Framework 2.0
Mozilla Firefox (3.0.1)
NVIDIA Drivers
Pidgin
Prime95
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Sandboxie 3.28
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Spybot - Search & Destroy
Steam
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VideoLAN VLC media player 0.8.6h
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm Pro

Hello fujikaka
Sorry for the late reply.

Rename HiJackThis
There maybe an infection hiding in your log.

• Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
• Right-click on HijackThis.exe & select Rename to
• Rename to something like fujikaka.exe
• Right click on fujikaka.exe & from the list click Create Shortcut then close the Explorer
• Delete the old HijackThis shortcut
• Double click the fujikaka.exe shortcut on your desktop to run the program then post back a new Hijackthis log.

Not a problem. Here you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:37 PM, on 8/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Trend Micro\HijackThis\fujikaka.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.update.microsoft.com/microsoftu...t.aspx?ln=en-us
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199177786796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215151278834
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3669 bytes

I know I am not a malware fighter by any means, but the logs look clean to me Is it possible that Ad-Aware is still coming up with false positives?
Thanks again

This post has been edited by fujikaka: Aug 17 2008, 10:44 PM

Hello fujikaka

Yes that log is clean. Let's run a couple of other scans.

Deckard's System Scanner (DSS)
Download Deckard's System Scanner here & save to your Desktop. Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your next reply.

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  Update Malwarebytes' Anti-Malware
  Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
  Note:
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
• Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

To post in next reply:
DSS logs
MBAM log

I get the following message when trying to download the first application:

Deckard's System Scanner interacts with a specific rootkit (tdssserv) in a way that may make your system unusable (altering the svchost netsvcs registry entry). This download link has been removed until a fix is released by Deckard. For your own protection, please do not attempt to download this tool from other sites.

08/17/2008

Your Geeks to Go admin team

As for the second one, it did spot and remove one of the things Ad-Aware found. Here is the log.

Malwarebytes' Anti-Malware 1.25
Database version: 1066
Windows 5.1.2600 Service Pack 3

11:56:59 AM 8/18/2008
mbam-log-08-18-2008 (11-56-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 77189
Time elapsed: 15 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{0F370205-69EC-4F3D-B029-FD0DB7EA931D}\RP22\A0017557.exe (Trojan.Horst) -> Quarantined and deleted successfully.

Hello fujikaka

The good news is the file MBAM detected is contained in your System Restore. The bad news is, that file is a very dangerous Backdoorn Trojan. Even though it is currently contained in your System Restore it has at some point been on your system.
Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS).
You are strongly advised to do the following:

• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

ComboFix
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

• Close any open browsers
• Click Start>Run
• Copy/paste the contents of the code box below into the run box then click OK

• Combofix will scan your computer then produce a log
• Copy & paste the contents of the log in your next reply

The log can also be found at C:\Combofix.txt

Argh, I really don't understand how this happened. If a file is downloaded and untouched on your desktop, is it still possible to become infected? I don't trust removing viruses with anything other than reformat, so it looks like I'll have to do that. I love my passwords, but I guess I will go about changing them. As for financial things - I never input any such information (my address - tops). Would changing my eBay/Auctiva/PayPal Passwords be enough?

Here is the log. I hate the Kaspersky noise! haha. Thanks agian

ComboFix 08-08-18.05 - Administrator 2008-08-19 11:29:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1480 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\desktop\combofix.exe
Command switches used :: /F3M
.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-18 11:39 . 2008-08-18 11:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 11:39 . 2008-08-18 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 11:39 . 2008-08-18 11:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-18 11:39 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 11:39 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 01:23 . 2008-08-16 01:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-16 01:23 . 2008-08-19 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 19:47 . 2008-08-15 19:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 19:46 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 19:46 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-11 14:29 . 2008-08-11 14:29 <DIR> d-------- C:\Sandbox
2008-08-11 14:28 . 2008-08-11 14:28 <DIR> d-------- C:\Program Files\Sandboxie
2008-08-11 14:28 . 2008-08-16 23:40 1,498 --a------ C:\WINDOWS\Sandboxie.ini
2008-08-11 00:32 . 2008-08-11 14:28 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-08-10 01:58 . 2008-08-10 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-08-10 01:54 . 2008-08-10 01:54 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-08-10 01:53 . 2008-08-10 01:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-09 14:30 . 2008-08-19 10:43 <DIR> d-------- C:\Program Files\Steam
2008-08-08 22:02 . 2008-08-15 22:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-08-07 22:37 . 2008-08-07 22:37 <DIR> d-------- C:\Program Files\uTorrent
2008-08-07 22:37 . 2008-08-11 02:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 18:29 366,368 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-19 18:29 3,517,728 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-19 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-19 08:07 47,804 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-19 08:07 35,180 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-19 08:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\.purple
2008-08-18 05:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-08-18 05:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\foobar2000
2008-08-08 05:30 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-08-08 05:30 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-07-09 16:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-06 08:09 --------- d-----w C:\Program Files\iTunes
2008-07-06 08:08 --------- d-----w C:\Program Files\QuickTime
2008-07-06 08:08 --------- d-----w C:\Program Files\iPod
2008-07-06 08:08 --------- d-----w C:\Program Files\Apple Software Update
2008-07-06 08:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-06 08:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-06 07:36 --------- d-----w C:\Program Files\foobar2000
2008-07-06 07:32 802,816 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-06 07:32 2,064,896 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-07-06 07:25 2,062,848 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-06 07:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SharePod
2008-07-05 23:39 --------- d-----w C:\Program Files\Prime95
2008-07-05 08:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
2008-07-05 08:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-07-05 08:03 --------- d-----w C:\Program Files\VideoLAN
2008-07-04 19:20 --------- d-----w C:\Program Files\Pidgin
2008-07-04 19:20 --------- d-----w C:\Program Files\Aspell
2008-07-04 19:16 --------- d-----w C:\Program Files\Common Files\GTK
2008-07-04 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 17:39 --------- d-----w C:\Program Files\Lavasoft
2008-07-04 17:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 17:24 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-04 06:20 --------- d-----w C:\Program Files\CCleaner
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="C:\Program Files\Sandboxie\SbieCtrl.exe" [2008-06-30 14:19 738816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-12-04 10:41 8523776]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-12-04 10:41 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"nwiz"="nwiz.exe" [2007-12-04 10:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-12 23:31 16857600 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 17:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-08-09 14:31 1271032 c:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 14:28]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2008-06-30 15:06]
S3 PciCon;PciCon;D:\PciCon.sys []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-GEST - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\85r1m3i6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - pbnation.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 11:29:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
Completion time: 2008-08-19 11:32:09
ComboFix-quarantined-files.txt 2008-08-19 18:31:50

Post-Run: 605,121,765,376 bytes free

144 --- E O F --- 2008-08-15 03:01:27

Hello fujikaka
Sorry for the late reply.
The Combofix log looks OK. I was checking for registry entries that may have been changed by that trojan but it looks like it hasn't done any damage. There are couple of files we can get rid of though.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Open Malwarebytes' Anti-Malware, click Quarantine then Delete All. Close the program.

ATF Cleaner
Download ATF Cleaner here by Atribune.

Double-click ATF-Cleaner.exe to run the program
Under Main choose: Select All
Click the Empty Selected button

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button
NOTE: If you would like to keep your saved passwords, please click No at the prompt

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button
NOTE: If you would like to keep your saved passwords, please click No at the prompt

Click Exit on the Main menu to close the program.

Kaspersky Online Scan
Please make sure that all programs are closed when installing Java.

• Click here to visit Java's website
• Scroll down to Java Runtime Environment (JRE) 6 Update 7. Click on Download
• Select Windows from the drop-down list for Platform
• Select Multi-language from the drop-down list for Language
• Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue
• Click on jre-6u7-windows-i586-p.exe link to download it and save this to a convenient location
• Double click on jre-6u7-windows-i586-p.exe to install Java
• After the Java installation has finished, go to Kaspersky website and perform an online antivirus scan
• Read through the requirements and privacy statement and click on Accept button
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
• When the downloads have finished, click on Settings
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan
• Once the scan is complete, it will display the results. Click on View Scan Report
• You will see a list of infected items there. Click on Save Report As...
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
• Please post this log in your next reply

To post in next reply:
Combofix log
Kaspersky Online Scan log
New HJT log

Do you still need help with this?

Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log