Ahkntfs.exe and various other problems now...

[dmperlman]

Alrighty, I am usually extremly careful with my machine but isntead of hitting delete on a very suspucious exe...I hit enter....needless to say I screwed my stuff up bad with multiple infections. I think I got ALOT of the stuff out and followed your pre-post procedure.

I know I can see blatant malware exes like regsvc.exe even though I have already ran spybot, adaware, CWS and ran virus programs.

here is my log...looking forward to any help you can provide.

Logfile of HijackThis v1.99.1
Scan saved at 4:32:07 PM, on 8/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\hjkamga.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\RunDLL32.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\WNSXS~1\regedit.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\PPATCH~1\HKNTFS~1.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\ouoik.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,apumuta.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - C:\WINNT\bvm202.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Windows Print Spooler] NavAgent32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hjkamga] c:\winnt\system32\hjkamga.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [Windows Print Spooler] NavAgent32.exe
O4 - HKCU\..\Run: [Weather] C:\found.000\dir0000.chk\Weather.exe 1
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [Wnne] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\WNSXS~1\regedit.exe" -vt yazr
O4 - HKCU\..\Run: [Kidnvb] C:\Documents and Settings\Administrator\Application Data\??pPatch\?hkntfs.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdriver...ll/Install.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1318131d5ef0486...p/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://12.153.35.149:8080/exent/components/ExentCtl.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/w...mes/wtinst.cab
O16 - DPF: {CF051549-EDE1-40F5-B440-BCD646CF2C25} (Ppinstall Control) - http://www.163.com/wwwimages/sms/ppinstall22.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - (no file)
O20 - AppInit_DLLs: C:\WINNT\system32\spoolsv.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: winmmt32 - C:\WINNT\SYSTEM32\winmmt32.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

[sUBs]

Do this first ...

1. Download this file -

http://download.bleepingcomputer.com/sUBs/combofix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[dmperlman]

Thanks for the response, I downloaded and ran Combofix.exe but it wasnt able to complete.

In the first window that popped up with my blank desktop it said it was scanning system. Qoologic was found and 2 other ones that i couldnt see becuase the window quickly dissapeared. Explorer looked like it was then shutting down and another command prompt window popped up that said Please wait..... I left it like this for over 90 minutes but nothing happened. I attempted this 3 times and it was the same result each time. Is there something I am doing wrong? Let me know. thanks again for the help

Dave

[sUBs]

Please locate this folder - C:\sUBs

Zip/archive it & post it as an attachment in your next reply

[dmperlman]

Done and Done, Thanks for the quick response

[sUBs]

Please delete the c:\sUBs folder
Also delete your existing copy of combofix.exe

Then download a fresh copy from the previous link (post #2)

When the "please wait" Window appears, it shouldnt take more than 2 minutes.
Let me know if that happens again.

[dmperlman]

Looks like that got it to complete...heres the log

Edit: also it looks like I somehow got re-infected in between my first HiJack log and our discussion now. TClock as well as the malware that puts 2 icons in your system try telling you you're infected i believe its called Troj/AdClick-BC. If you want me to post another hijack let me knwo.


Start Time= Wed 2006-08-02 12:33:28.32
Running from: C:\Documents and Settings\Administrator\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

12:34:01.37

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINNT\system32\ylwekn.exe
C:\WINNT\system32\ouoik.exe
C:\WINNT\system32\apumuta.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-02 12:18 91664 --a------ C:\WINNT\system32\ishost.exe
2006-08-02 12:18 11776 --a------ C:\WINNT\system32\ismon.exe
2006-08-01 22:44 127488 --a------ C:\WINNT\system32\eimhw.dat
2006-08-01 07:57 2 --a------ C:\WINNT\system32\wnscpcc.exe
2006-07-27 04:54 81920 --a------ C:\WINNT\system32\spoolsv.dll
2006-07-26 03:49 53 --a------ C:\WINNT\bpbpve.dat
2006-07-26 03:49 51712 --a------ C:\WINNT\system32\fswecvk.dll
2006-07-26 03:49 28672 --a------ C:\WINNT\system32\ouoik.exe
2006-07-26 03:49 23552 --a------ C:\WINNT\system32\apumuta.exe
2006-07-26 03:49 127488 --a------ C:\WINNT\system32\ylwekn.exe
2006-07-26 03:49 127488 --a------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qsjfq.exe
2006-07-26 00:54 14848 --a------ C:\WINNT\system32\BASSMOD.dll
2006-07-03 17:29 21840 --a----t- C:\WINNT\system32\SIntfNT.dll
2006-07-03 17:29 17212 --a----t- C:\WINNT\system32\SIntf32.dll
2006-07-03 17:29 12067 --a----t- C:\WINNT\system32\SIntf16.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


C:\qoobox\ylwekn.exe.vir
C:\qoobox\eimhw.dat.vir
C:\qoobox\qsjfq.exe.vir
C:\qoobox\fswecvk.dll.vir
C:\qoobox\ouoik.exe.vir
C:\qoobox\apumuta.exe.vir
C:\qoobox\bpbpve.dat.vir

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINNT\system32\wnscpcc.exe
C:\WINNT\system32\ishost.exe
C:\WINNT\system32\ismon.exe
C:\WINNT\system32\BASSMOD.dll
C:\WINNT\system32\SIntf16.dll
C:\WINNT\system32\SIntf32.dll
C:\WINNT\system32\SIntfNT.dll
C:\WINNT\system32\spoolsv.dll


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\thiselt.exe
C:\Program Files\ipwins
C:\Program Files\Common Files\{907E36B0-06CC-1033-0228-020314020001}


((((((((((((((((((((((((((((((( Files Created from 2006-07-02 to 2006-08-02 ))))))))))))))))))))))))))))))))))


2006-08-02 12:20 8,772 C:\WINNT\system32\isnotify.exe
2006-08-02 12:20 68,096 C:\WINNT\system32\issearch.exe
2006-08-02 12:20 46,592 C:\WINNT\system32\ixt0.dll
2006-08-02 12:18 91,664 C:\WINNT\system32\ishost.exe
2006-08-02 12:18 11,776 C:\WINNT\system32\ismon.exe
2006-08-01 20:16 1,645,320 C:\WINNT\system32\gdiplus.dll
2006-08-01 17:03 73,728 C:\WINNT\system32\asuninst.exe
2006-08-01 17:03 11,776 C:\WINNT\system32\ZPORT4AS.dll
2006-07-26 03:57 81,920 C:\WINNT\system32\spoolsv.dll
2006-07-26 03:57 2 C:\WINNT\system32\wnscpcc.exe
2006-07-26 03:50 30,208 C:\WINNT\ss1205.exe
2006-07-26 03:49 45,056 C:\WINNT\zuckdha.exe
2006-07-26 03:49 441 C:\WINNT\wgelb.dll
2006-07-26 03:49 376,832 C:\WINNT\876057.exe
2006-07-26 03:49 28,672 C:\WINNT\system32\hvzead7v.exe
2006-07-26 03:49 24,576 C:\WINNT\system32\xd7ehbkw.exe
2006-07-26 03:49 234,248 C:\WINNT\Tagasuarus2.exe
2006-07-26 03:49 208,896 C:\WINNT\system32\v199.dll
2006-07-26 03:49 183,887 C:\WINNT\YazzleBundle-1304.exe
2006-07-26 03:49 143,360 C:\WINNT\win3208656-1870776.exe
2006-07-26 03:49 1,142,784 C:\WINNT\system32\bdpn.exe
2006-07-26 03:42 127,578 C:\WINNT\system32\tsuninst.exe
2006-07-26 00:58 18,944 C:\WINNT\system32\winmmt32.dll
2006-07-26 00:33 14,848 C:\WINNT\system32\BASSMOD.dll
2006-07-03 17:10 94,208 C:\WINNT\DIIUnin.exe
2006-07-03 16:43 43,520 C:\WINNT\system32\CmdLineExt03.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-02 12:36 ------- d-a------ C:\Program Files\Common Files
2006-08-02 12:20 ------- d-------- C:\Program Files\Safety Bar
2006-08-01 22:15 ------- d-------- C:\Program Files\Internet Explorer
2006-08-01 20:10 ------- d-------- C:\Program Files\CCleaner
2006-08-01 17:08 ------- d-------- C:\Documents and Settings\Administrator\Application Data\PPATCH~1
2006-08-01 17:06 ------- d-------- C:\Program Files\WinZip
2006-08-01 17:06 ------- d-------- C:\Program Files\WinRAR
2006-08-01 17:06 ------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-08-01 17:05 ------- d-------- C:\Program Files\iTunes
2006-08-01 17:05 ------- d-------- C:\Program Files\AIM95
2006-08-01 17:05 ------- d-------- C:\Documents and Settings\Administrator\My Documents\WNSXS~1
2006-08-01 14:28 ------- d-------- C:\Program Files\PartyPoker
2006-08-01 14:27 ------- d-------- C:\Program Files\Kazaa Lite
2006-08-01 00:35 ------- d-------- C:\Documents and Settings\Administrator\Application Data\WeatherBug
2006-07-31 18:39 ------- d-------- C:\Program Files\Diablo II
2006-07-30 13:46 ------- d-------- C:\Program Files\World of Warcraft
2006-07-29 07:51 ------- d-------- C:\Program Files\Common Files\STEM32~1
2006-07-29 07:51 ------- d-------- C:\Documents and Settings\Administrator\Application Data\CROSOF~1.NET
2006-07-28 12:11 ------- d-------- C:\Program Files\TBONAS
2006-07-27 04:54 ------- d-------- C:\WINNT\system32\YMBOLS~1
2006-07-26 09:28 ------- d-------- C:\Program Files\Common Files\fuqf
2006-07-26 01:01 ------- d-------- C:\Program Files\TClock
2006-07-26 00:33 ------- d-------- C:\Documents and Settings\Administrator\Application Data\Eltima Software
2006-07-26 00:31 ------- d-------- C:\Program Files\Eltima Software
2006-07-20 18:43 ------- d-------- C:\Program Files\mIRC
2006-07-20 17:29 ------- d-------- C:\Program Files\Soulseek
2006-07-20 17:29 ------- d-------- C:\Program Files\nokcvtr
2006-07-09 20:43 ------- d-------- C:\Documents and Settings\Administrator\Application Data\3M
2006-07-09 20:42 ------- d-------- C:\Program Files\Common Files\Download Manager
2006-06-29 15:04 ------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-06-29 14:58 ------- d-------- C:\Program Files\PopCap Games
2006-06-28 16:49 ------- d-------- C:\Program Files\Zen of Sudoku
2006-06-20 15:23 ------- d-------- C:\Documents and Settings\Administrator\Application Data\Newsbin
2006-06-20 14:23 ------- d-------- C:\Program Files\NewsBin
2006-06-20 14:20 ------- d-------- C:\Program Files\NewsLeecher
2006-06-16 09:29 ------- d-------- C:\Program Files\Mozilla Firefox
2006-06-04 22:55 ------- d--h----- C:\Program Files\InstallShield Installation Information
2006-06-04 22:55 ------- d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"SoundMan"="SOUNDMAN.EXE"
"EPSON Stylus C62 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"Windows Print Spooler"="NavAgent32.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"DeadAIM"="rundll32.exe \"C:\\Program Files\\AIM95\\\\DeadAIM.ocm\",ExportedCheckODLs"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"hjkamga"="c:\\winnt\\system32\\hjkamga.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\found.000\\dir0000.chk\\Weather.exe 1"
"OfotoNow USB Detection"="C:\\WINNT\\system32\\RunDLL32.exe C:\\PROGRA~1\\Ofoto\\OfotoNow\\OFUSBS.DLL,WatchForConnection OfotoNow"
"Wnne"="\"C:\\DOCUME~1\\ADMINI~1\\MYDOCU~1\\WNSXS~1\\regedit.exe\" -vt yazr"
"Kidnvb"="C:\\Documents and Settings\\Administrator\\Application Data\\??pPatch\\?hkntfs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows Print Spooler"="NavAgent32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ishost.exe"="ishost.exe"
"issearch.exe"="issearch.exe"
"kernel32.dll"="C:\\WINNT\\system32\\isnotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder

Completion time: Wed 2006-08-02 12:39:42.50
ComboFix ver 06.08.02 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt

[sUBs]

Tell me about this folder/program. Is this something you installed?

C:\Program Files\nokcvtr

[dmperlman]

nope never seen it before..

only one file insde Favtones.dat

[sUBs]

Give me 10-15 minutes to work ut a fix for you. For the meanwhile, I want you to do this...


Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs:

• Best Offers
  Weatherbug
  
  Yazzle by Oin
  Purityscan by Oin
  Snowballwars by Oin
  Cowabanga by OIN
  or anything similar with Oin in it

In case Purityscan or OINS is not listed, download and use this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Please note any other programs that you dont recognize in your next response


Then, I require you to update your copy of Sun's java. Older versions of Java have been identified as entry points for malware.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
3. If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
4. Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
5. If you are unable to update you can manually update by going here:
   
   http://www.java.com/en/download/manual.jsp
   
   
6. After the reboot, go back into the Control Panel and double-click the Java Icon.
7. Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using.
8. Under Temporary Internet Files, click the Delete Files button.
9. There are three options in the window to clear the cache - Leave ALL 3 Checked
   • Downloaded Applets
     Downloaded Applications
     Other Files
10. Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
11. Click OK to leave the Java Control Panel.

[dmperlman]

I have just completed all of that but when changing my updated java settings after clicking my browser (Mozilla/Firefox) and clicking OK I get a msg saying that it can not Please make sure Mozilla or Netscape is properly installed on the system or you have sufficent rights to change this setting. I have had Firefox installed on this system for ever and have never experienced any problems that would lead me to believe it was a bad installation. I am also logged in as Administrator.

Also even after my uninstall of weatherbug and reboot it still loaded...

Also, various other things I do not recognize in Add/Remove:

Forethought
IpWins
NewsLeecher
SafteyBar
Search 2020

Again thank you for your help.

[sUBs]

Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install - CleanUp.exe (not recommended for WinXP64)

Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Download the file attached, sUBs000.zip. Save it on Desktop but do not use it yet.
We shall be using it in safe mode.

Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update.

If you are having problems with the updater, you can use this link to manually update Ewido

• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet.

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - C:\WINNT\bvm202.dll
O4 - HKLM\..\Run: [Windows Print Spooler] NavAgent32.exe
O4 - HKLM\..\Run: [hjkamga] c:\winnt\system32\hjkamga.exe
O4 - HKLM\..\RunServices: [Windows Print Spooler] NavAgent32.exe
O4 - HKCU\..\Run: [Weather] C:\found.000\dir0000.chk\Weather.exe 1
O4 - HKCU\..\Run: [Wnne] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\WNSXS~1\regedit.exe " -vt yazr
O4 - HKCU\..\Run: [Kidnvb] C:\Documents and Settings\Administrator\Application Data\??pPatch\?hkntfs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdriver...ll/Install.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1318131d5ef0486...p/RdxIE601.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/w...mes/wtinst.cab
O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - (no file)
O20 - AppInit_DLLs: C:\WINNT\system32\spoolsv.dll
O20 - Winlogon Notify: winmmt32 - C:\WINNT\SYSTEM32\winmmt32.dll


* * * * * * USING HIJACKTHIS' DELETE ON REBOOT * * * * * *


Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...

1. In the popup box that appears, copy/paste in:
   • C:\WINNT\SYSTEM32\winmmt32.dll
2. Click the Open button.
3. Click YES when prompted to restart your computer.

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * *


Open the attachment you downloaded earlier - sUBs000.zip
Double click on sUBs.bat & it shall produce a log for you.
Post that log in your next reply


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Delete Cookies

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner & select the Scan tab
• Click Complete System Scan to begin scanning.
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop.

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.



* * * *


Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


* * * *


Next go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Uncheck everything present.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer with Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh copies of:

• HiJackThis log
• sUBs.bat's log
• Freh combofix log
• Online scan
• rapport.txt
• Ewido's log

Let us know if any problems persist.

[sUBs]

Quote:

Also, various other things I do not recognize in Add/Remove:

Forethought
IpWins
NewsLeecher
SafteyBar
Search 2020

When you get to safe mode, uninstall ALL of them

[dmperlman]

Alright so im posting this from my laptop as my desktop is still in safemode with out a internet conneciton. I got as far as the ewido scan in safemode but when I try to open Ewido nothing happens. I was able to change the settings you requested while out of safemode so i know the installation went ok. The process starts and is located in my Task Manager but nothing appears after double clicking the ewido shortcut...

I tried rebooting backinto safemode to see if that would help and the same thing occurs.

Should i reboot into normal mode and reinstall and start over?

[sUBs]

Please do..

[dmperlman]

alrighty, should I take off form the ewido step? or go all the way back to the begining?

[sUBs]

Continue where you left off. Kindly let me know if Ewido's problem persist,

[dmperlman]

Looks like the problem is still happening. When I boot into normal mode I can run Ewido fine, it seems to be a problem that exists only in safe mode.

After about 5 minutes of inactivity a error window comes up "Something bad happneed in the application. Error diagnostic file saved to 'C:\Program Files\ewido anti-spyware 4.0.err' I opened the file and it was gibrish to me, if you need me to get on my desktop and upload the file i will.

I need to run out of the house for a few minutes, but thank you again for your quick responses.

[sUBs]

Uninstall Ewido. We'll use a different tool for replacement

Download Dr.Web CureIt & save it on desktop. We shall be using it in safe mode


* * * * *

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

[dmperlman]

alrighty, currently in safemode on my desktop with Dr.Web running a full system scan..will post all the logs in my next post.