Business Workstation Needs Help

[AngerSaxon]

Hello,

Outlook Express is freezing on us anytime we try to take any action. That is, we can open the program and it appears fine but if, for example, we try to send/recieve messages it freezes. It is installed as Internet Mail Only. It is part of MS Office 2000 running on a Windows 2000 platform. Now, apparently the boss's son was browsing for porno (no joke) and the computer contracted some kind of virus. I think the two events (Outlook freezing and the porno virus) are related. Thank you for your help and time. Please note, however, that tomorrow is a normal business day, and although I am posting now, I will not be able to try any suggestions until after 5 PM EST tomorrow evening. Bear with me as it is a complicated situation compounded by my lack of finess in all matters Outlook Express.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.15

Database version: 833

2:31:02 AM 6/6/2008

mbam-log-6-6-2008 (02-31-02).txt

Scan type: Quick Scan

Objects scanned: 53613

Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 49

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd.dll (Rogue.PCAntispyware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd.dll (Rogue.PCAntispyware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Bug Doctor (Rogue.BugDoctor) -> Quarantined and deleted successfully.

C:\WINNT\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Suzanne Hall\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\Bug Doctor\FixedOnSundayOctober012006091631.xml (Rogue.BugDoctor) -> Quarantined and deleted successfully.

C:\WINNT\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Suzanne Hall\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINNT\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\vbsys2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Suzanne Hall\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

ESET log to follow.

[AngerSaxon]

ESET scan results:

Win32/Adware.WBug.A application

F:\Suzannes backup\Documents and Settings\Suzanne Hall\My Documents\Install_AIM.exe>>WISE>>WxBug.EXE>>WISE>>MiniBugTransporter.dll

Win32/Adware.WBug.A application

F:\Suzannes backup\Documents and Settings\Suzanne Hall\My Documents\Install_AIM.exe>>WISE>>WxBug.EXE

Win32/Adware.WBug.A application

F:\Suzannes backup\Documents and Settings\Suzanne Hall\My Documents\Install_AIM.exe

Win32/Adware.PlayMP3Z application

C:\Documents and Settings\Suzanne Hall\Local Settings\Application Data\Mozilla\Firefox\Profiles\12qp6z1f.default\Cache\EEA4540Ed01

[AngerSaxon]

Finally here is the Hijack This log. Thanks again for all your help and hard work!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:11:00 AM, on 6/6/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgamsvr.exe

C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgupsvc.exe

C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgemc.exe

C:\Program Files\EMSI\VPN Client\cvpnd.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Citrix\GoToMyPC\g2svc.exe

C:\Program Files\Citrix\GoToMyPC\g2comm.exe

C:\WINNT\system32\nvsvc32.exe

C:\Program Files\Citrix\GoToMyPC\g2pre.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Citrix\GoToMyPC\g2tray.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\progra~1\scansoft\paperp~1\pptd40nt.exe

C:\Program Files\ScanSoft\PaperPort\viperusb.exe

C:\WINNT\system32\wfxsnt40.exe

C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgcc.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

C:\Program Files\Remote\Nodesys\rwkernel.exe

C:\Program Files\Remote\nodesys\RWCTray.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgw.exe

C:\Program Files\Citrix\GoToMyPC\g2mainh.exe

C:\Program Files\Citrix\GoToMyPC\g2host.exe

C:\Program Files\Citrix\GoToMyPC\g2printh.exe

C:\Program Files\Citrix\GoToMyPC\g2audioh.exe

C:\Documents and Settings\Suzanne Hall\Desktop\hiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\!COMPU~1\SPYBOT~1.4(0\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe

O4 - HKLM\..\Run: [strobePro] C:\Program Files\ScanSoft\PaperPort\viperusb.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [pdfw] C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [fxgarzvh] C:\WINNT\system32\dstmxajy.exe

O4 - HKCU\..\Run: [gzlcasoo] C:\WINNT\system32\qpibmxet.exe

O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide

O4 - HKLM\..\Policies\Explorer\Run: [Ruya48VUsO] C:\Documents and Settings\All Users\Application Data\dorcfkdw\jcdyzkta.exe

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Client Communications.lnk = C:\Program Files\Remote\Nodesys\rwkernel.exe

O4 - Global Startup: Examination Management Services, Inc. EMSI VPN Client.lnk = C:\Program Files\EMSI\VPN Client\vpngui.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.pandasecurity.com

O16 - DPF: Documentum Content Transfer 5.2.5 SP - https://echo.emsinet.com:8443/echo/wdk/cont...ContentXfer.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab

O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142869553640

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\!COMPU~1\AVGANT~1.1(0\avgemc.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EMSI\VPN Client\cvpnd.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--

End of file - 8314 bytes

[JeanInMontana]

Hi AngerSaxon and welcome to Malwarebytes. Wow, impressive amount of nastiness has been removed and some dating back two years. This system is very outdated. Adobe is 4 versions behind, please uninstall it and get the latest version 8. Also your Java is a known security risk version. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation. You have HJT on the desk top, please move it to Program Files and it's own folder.

Run HJT again in scan only mode and put a check next to these items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide

Now go to Add/Remove programs in the control panel and look for PC-Cleaner. Uninstall it if it's there. Reboot the machine, update MBAM and run another quick scan. Post that log and a new HJT log back into this thread please.

[JeanInMontana]

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.