hileman8

This is a users PC at work, I have tried a few different scans but can't seem to get everything off. Started out with an icon in the taskbar poping up your computer has been affected go to this site... I ran SpyBot forgot to save the log but here is what it found: Delf.Spool.cn 1, Win32.Agent.pz 8, Hotbar 99. Virtumonde.generic 7. It couldn't remove everything so it rescaned on start up but didn't find anything. I had citrix software installed on the computer but had to remove because it would just hang up on start up.

Here is the main.txt log

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-24 08:37:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
63: 2008-07-24 14:38:23 UTC - RP938 - Deckard's System Scanner Restore Point
62: 2008-07-24 14:14:13 UTC - RP937 - Removed Ad-Aware
61: 2008-07-24 14:00:12 UTC - RP936 - Removed Google Earth
60: 2008-07-24 13:55:26 UTC - RP935 - Removed Citrix Presentation Server Client
59: 2008-07-23 20:41:09 UTC - RP934 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-04-25 16:25:16 UTC - RP876 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:45 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\TEMP\B97B.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe1
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162076501629
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PSA.local
O17 - HKLM\Software\..\Telephony: DomainName = PSA.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PSA.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PSA.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = PSA.local
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 5064 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Dim72 - c:\windows\system32\drivers\dim72.sys
R0 INO_FLPY - c:\windows\system32\drivers\ino_flpy.sys <Not Verified; Computer Associates; CA eTrust eTrust Antivirus/InoculateIT version 7.X/6.X/4.X>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 INO_FLTR - c:\windows\system32\drivers\ino_fltr.sys <Not Verified; Computer Associates; CA eTrust Antivirus/InoculateIT version 7.X/6.X>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 InoRPC (eTrust Antivirus RPC Server) - "c:\program files\ca\etrust antivirus\inorpc.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoRT (eTrust Antivirus Realtime Server) - "c:\program files\ca\etrust antivirus\inort.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoTask (eTrust Antivirus Job Server) - "c:\program files\ca\etrust antivirus\inotask.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-24 08:37:31 686630 --a------ C:\dss.exe
2008-07-24 08:18:25 0 d-------- C:\ZonedOut
2008-07-24 0832 0 d-------- C:\Program Files\Panda Security
2008-07-24 0829 0 d-------- C:\WINDOWS\LastGood
2008-07-24 08:00:24 0 d-------- C:\Documents and Settings\administrator.PSA\Application Data\Google
2008-07-23 18:46:27 30848 --a------ C:\WINDOWS\system32\drivers\Dim72.sys
2008-07-23 17:42:20 0 d-------- C:\Program Files\Trend Micro
2008-07-23 16:29:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-23 13:12:02 0 d-------- C:\Documents and Settings\administrator.PSA\Application Data\Macromedia
2008-07-23 12:37:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-23 12:28:31 33280 --a------ C:\WINDOWS\system32\crypts.dll
2008-07-23 11:53:13 0 d---s---- C:\WINDOWS\system32\%systemroot%
2008-07-23 11:53:06 0 d--hs---- C:\WINDOWS\system32\wsnpoem


-- Find3M Report ---------------------------------------------------------------

2008-07-24 08:14:26 0 d-------- C:\Program Files\Common Files
2008-07-24 08:02:44 0 d-------- C:\Program Files\AWS
2008-07-24 08:00:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 08:00:22 0 d-------- C:\Program Files\Google
2008-07-23 12:38:23 0 d-------- C:\Program Files\Lavasoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/19/2005 08:59 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/19/2005 08:59 AM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe1" []
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 01:56 AM]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [04/06/2004 05:14 PM]
"@"="" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM]
"braviax"="C:\WINDOWS\system32\braviax.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]

C:\Documents and Settings\administrator.PSA\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [10/23/2003 10:37:56 PM]
DESKTOP.INI [9/3/2002 1:36:04 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [4/19/2007 8:26:20 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]
crypts.dll 07/23/2008 12:28 PM 33280 C:\WINDOWS\SYSTEM32\crypts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2561681209-892752678-3754883784-1129\Scripts\Logon\0\0]
"Script"=MapDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2561681209-892752678-3754883784-1228\Scripts\Logon\0\0]
"Script"=MapDrives.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2561681209-892752678-3754883784-1638\Scripts\Logon\0\0]
"Script"=MapDrives.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Dim72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-07-24 08:42:32 ------------

Attached Files

extra.txt (11.4 KB, 2 views)

hileman8

I am just reinstalling Windows
Thanks

tetonbob

Sorry we missed you, but all forums are overrun with requests for help. It can take several days to a week to receive a reply. Many times, taking your route of reinstall is a more secure solution. Note, a repair install will not always solve the underlying issue, and may leave infections behind. A format and clean install is the secure method.

You may be interested to know something about what was on your machine:

wsnpoem

http://www.symantec.com/security_res...335-99&tabid=2 <<<<info stealer

braviax

http://www.symantec.com/business/sec...055-99&tabid=2 <<<< trojan downloader for fake alert rogueware

This seems like it may be a corporate or organization machine. If so, there may be more to concern yourself about, due to the info stealer.

PC Safety and Security--What Do I Need?

Surf Safely, and Think Prevention!

__________________

** PC Safety and Security--What Do I Need? **

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006