Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumundo Removal


  • Please log in to reply
11 replies to this topic

#1 wishmd

wishmd

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 25 July 2007 - 07:24 AM

Windows defender found this infection but I followed your instruction re running those two programs and they found nothing. Perhaps the hijackthis log will help. Here it is :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:12 AM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Palm\HOTSYNC.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - D:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - D:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Palm MulitUser Config] D:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: HotSync Manager.lnk = ?
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - res://D:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - D:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - D:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - D:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - D:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/Activ...iveXClient1.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129170458895
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.ne...bls_speedop.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://72.32.179.44/filter/cameraviewer/isetup.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3934CDA7-6DE9-4A13-9C4E-D5AC92CE6900}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{3934CDA7-6DE9-4A13-9C4E-D5AC92CE6900}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{3934CDA7-6DE9-4A13-9C4E-D5AC92CE6900}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: OLE Object - {B17686C2-D7FF-46E3-A0D8-D411C474C7B4} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - D:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--

Thanks much.
End of file - 11883 bytes

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 AM

Posted 26 July 2007 - 10:45 AM

I would like to take a look at this log for you and will get back to you as soon as I can.

Thank You.

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 AM

Posted 26 July 2007 - 03:23 PM

Hello wishmd

Please Copy and Paste this post into a new text document or print it for reference

Step 1

Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O22 - SharedTaskScheduler: OLE Object - {B17686C2-D7FF-46E3-A0D8-D411C474C7B4} - (no file)

Close any Explorer windows which may be open and click the "Fix Checked" button.


Step 2

Download ComboFix.exe to your desktop.
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post this log in your next reply

Thank you.

#4 wishmd

wishmd
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 26 July 2007 - 04:06 PM

Here is the combo.exe log:

"Gil" - 2007-07-26 16:58:29 [GMT -4:00] - ComboFix 07-07-24 - Service Pack 2 FAT32


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\DOWNLO~1.\Temp
D:\WINDOWS\system32\b02FdUe
D:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 16:56 51,200 --a------ D:\WINDOWS\nircmd.exe
2007-07-26 12:27 <DIR> d-------- D:\Program Files\Your Company Name
2007-07-26 12:27 <DIR> d-------- D:\Program Files\SendBlaster
2007-07-25 08:16 <DIR> d-------- D:\Program Files\Trend Micro
2007-07-23 21:38 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom
2007-07-22 21:01 24,072 --a------ D:\WINDOWS\system32\uxtuneup.dll
2007-07-22 20:05 <DIR> d-------- D:\VundoFix Backups
2007-07-22 09:42 <DIR> d-------- D:\DOCUME~1\Gil\APPLIC~1\Pi Eye Games
2007-07-18 12:42 8,328 --a------ D:\dnsbak.reg
2007-07-15 22:49 <DIR> d-------- D:\Program Files\Lavasoft
2007-07-15 22:49 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-15 13:26 <DIR> d-------- D:\DOCUME~1\Gil\APPLIC~1\Eyeblaster
2007-07-15 13:25 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
2007-07-15 13:24 <DIR> d-------- D:\DOCUME~1\Gil\APPLIC~1\GameHouse
2007-07-15 08:17 <DIR> d-------- D:\Program Files\Plaxo
2007-07-14 11:52 <DIR> d-------- D:\Program Files\GameHouse
2007-07-12 18:18 <DIR> d--hs---- D:\FOUND.007
2007-06-29 15:27 <DIR> d-------- D:\Program Files\IntelPCCamera


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2020-04-18 20:16:58 4,212 ---h--w D:\WINDOWS\system32\zllictbl.dat
2007-07-24 00:17:34 284 ---ha-w D:\WINDOWS\popcinfo.dat
2007-07-22 13:58:30 1,632 ----a-w D:\WINDOWS\system32\d3d8caps.dat
2007-07-16 02:20:30 4 ----a-w D:\WINDOWSRegDefrag.dat
2007-06-22 17:29:16 -------- d-----w D:\Program Files\Success Studios
2007-06-19 14:12:32 -------- d-----w D:\DOCUME~1\Gil\APPLIC~1\Systweak
2007-06-19 13:55:58 -------- d-----w D:\Program Files\Advanced System Optimizer
2007-06-18 17:24:28 -------- d-----w D:\DOCUME~1\Gil\APPLIC~1\MatchWare
2007-06-18 17:18:40 -------- d-----w D:\Program Files\MatchWare
2007-06-17 00:48:30 824 ---h--w D:\WINDOWS\px~09.dat
2007-06-16 15:53:14 -------- d-----w D:\Program Files\Delete Duplicates for Outlook Express
2007-06-15 22:04:36 -------- d-----w D:\Program Files\SumQuest
2007-06-14 13:36:42 -------- d-----w D:\Program Files\STOPzilla!
2007-06-13 17:29:44 -------- d-----w D:\DOCUME~1\Gil\APPLIC~1\Thunderbird
2007-06-13 17:29:20 -------- d-----w D:\Program Files\Mozilla Thunderbird
2007-06-11 13:10:08 -------- d-----w D:\DOCUME~1\Gil\APPLIC~1\Scooter Software
2007-06-10 16:51:30 88 --sh--r D:\WINDOWS\system32\D7FA0F5FEB.sys
2007-06-10 16:51:30 3,766 --sha-w D:\WINDOWS\system32\KGyGaAvL.sys
2007-06-10 16:05:42 -------- d-----w D:\DOCUME~1\Gil\APPLIC~1\IsolatedStorage
2007-06-10 15:48:04 -------- d-----w D:\Program Files\Microsoft SQL Server
2007-06-06 15:28:32 577,536 ----a-w D:\WINDOWS\system32\EbAdServingT25.dll
2007-06-04 19:18:48 9,344 ----a-w D:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w D:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w D:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 13:53:28 -------- d-----w D:\Program Files\Project KickStart 3
2007-05-30 01:31:06 -------- d-----w D:\Program Files\SUPERAntiSpyware
2007-05-30 01:31:06 -------- d-----w D:\DOCUME~1\Gil\APPLIC~1\SUPERAntiSpyware.com
2007-05-28 16:12:08 -------- d-----w D:\Program Files\SpywareBlaster
2007-05-28 13:44:30 -------- d-----w D:\DOCUME~1\Gil\APPLIC~1\Sandbox
2007-05-27 20:10:04 -------- d-----w D:\DOCUME~1\Gil\APPLIC~1\ICAClient
2007-05-27 20:09:50 -------- d-----w D:\Program Files\Citrix
2007-05-26 18:59:14 -------- d-----w D:\Program Files\FreePOPs
2007-05-24 02:21:44 16 ----a-w D:\WINDOWS\popcinfot.dat
2007-05-16 15:12:02 683,520 ----a-w D:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w D:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w D:\WINDOWS\system32\AVASTSS.scr
2007-04-22 16:34:26 82,120 ----a-w D:\DOCUME~1\Gil\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-08-19 19:27:40 461 ----a-w D:\Program Files\INSTALL.LOG
2007-02-06 16:50:24 56 --sh--r D:\WINDOWS\system32\EB5F0FFAD7.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-10-05 22:11]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 07:06 D:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Palm MulitUser Config"="D:\Program Files\Palm\Configtool.exe" [2002-07-26 13:00]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-10-07 16:02]
"Adobe Photo Downloader"="D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-26 21:12]
"RoboForm"="D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-07-18 08:44]

D:\Documents and Settings\Gil\Start Menu\Programs\Startup\
HotSync Manager.lnk - D:\Program Files\Palm\HOTSYNC.EXE [2002-07-26 14:19:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoConfigPage"=0 (0x0)
"NoDevMgrPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoFileSysPage"=0 (0x0)
"NoProfilePage"=0 (0x0)
"NoPwdPage"=0 (0x0)
"NoSecCPL"=0 (0x0)
"NoVirtMemPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=11 (0xb)
"NoAddPrinter"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"RestrictRun"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe
"Microsoft Location Finder"="D:\Program Files\Microsoft Location Finder\LocationFinder.exe"
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" /background
"swg"=D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=D:\WINDOWS\system32\NeroCheck.exe
"Symantec NetDriver Monitor"=D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
"HP Component Manager"="D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
"Palm MulitUser Config"=D:\Program Files\Palm\Configtool.exe
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE
"ISUSPM Startup"=D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" -atboottime
"setup"=rundll32.exe "D:\WINDOWS\system32\spdmesnp.dll",realset

R1 Kbdclass;Keyboard Class Driver;D:\WINDOWS\system32\DRIVERS\kbdclass.sys
R1 Mouclass;Mouse Class Driver;D:\WINDOWS\system32\DRIVERS\mouclass.sys
R1 NetworkX;NetworkX;D:\WINDOWS\system32\ckldrv.sys
R1 SASDIFSV;SASDIFSV;\??\D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R2 UxTuneUp;TuneUp Design Expansion;D:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ds1;Yamaha DS1 Audio Driver (WDM);D:\WINDOWS\system32\drivers\ds1wdm.sys
R3 gameenum;Game port for Yamaha DS1;D:\WINDOWS\system32\drivers\gameenum.sys
R3 Gpc;Generic Packet Classifier;D:\WINDOWS\system32\DRIVERS\msgpc.sys
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12;D:\WINDOWS\system32\DRIVERS\HPZipr12.sys
R3 Icam4USB;Intel PC Camera Pro;D:\WINDOWS\system32\Drivers\Icam4USB.sys
R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;D:\WINDOWS\system32\DRIVERS\LHidKE.Sys
R3 LHidUsbK;Logitech SetPoint USB Receiver Device Driver;D:\WINDOWS\system32\Drivers\LHidUsbK.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;D:\WINDOWS\system32\Drivers\LMouKE.sys
R3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;D:\WINDOWS\system32\Drivers\LUsbKbd.Sys
R3 MxlW2k;MxlW2k;D:\WINDOWS\system32\drivers\MxlW2k.sys
R3 usbprint;Microsoft USB PRINTER Class;D:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;D:\WINDOWS\system32\DRIVERS\w940nd.sys
S0 szkg;szkg;D:\WINDOWS\system32\DRIVERS\szkg.sys
S3 GMSIPCI;GMSIPCI;\??\F:\INSTALL\GMSIPCI.SYS
S3 HidUsb;Microsoft HID Class Driver;D:\WINDOWS\system32\DRIVERS\hidusb.sys
S3 L8042Kbd;Logitech SetPoint Keyboard Driver;D:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;D:\WINDOWS\system32\Drivers\L8042mou.sys
S3 PalmUSBD;PalmUSBD;D:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 SASENUM;SASENUM;\??\D:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S3 wceusbsh;Windows CE USB Serial Host Driver;D:\WINDOWS\system32\DRIVERS\wceusbsh.sys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-07-26 11:36:52 D:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-26 16:14:54 D:\WINDOWS\tasks\XoftSpySE.job
2007-07-26 21:00:06 D:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-20 11:22:12 D:\WINDOWS\tasks\1-Click Maintenance.job
2007-07-26 21:00:04 D:\WINDOWS\tasks\AA0B2F5E9048AB46.job
2007-07-26 16:00:02 D:\WINDOWS\tasks\XoftSpy.job
2006-10-15 01:04:44 D:\WINDOWS\tasks\Executive Software Diskeeper.job
2006-10-25 13:14:32 D:\WINDOWS\tasks\1 Copernic Intra-Daily ~HOME Gil.job
2006-10-25 13:14:32 D:\WINDOWS\tasks\2 Copernic Daily ~HOME Gil.job
2006-10-25 13:14:32 D:\WINDOWS\tasks\3 Copernic Weekly ~HOME Gil.job
2006-10-25 13:14:32 D:\WINDOWS\tasks\4 Copernic Monthly ~HOME Gil.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 17:02:21
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 17:03:45
D:\ComboFix-quarantined-files.txt ... 2007-07-26 17:03

--- E O F ---


Thanks much

#5 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 AM

Posted 26 July 2007 - 11:44 PM

Hello wishmd

Please Copy and Paste this post into a new text document or print it for reference

Step 1

Hold Down The Windows Key + E to Open Windows Explorer

Select: Tools >> Folder Options >> View
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option. <-- important
Click Yes to confirm the changes, Click OK.

Please go to: http://virusscan.jotti.org/
At the top select the Browse button then navigate to this File and Submit it to be scanned.
D:\WINDOWS\system32\EB5F0FFAD7.sys

Can you please also upload this file to be scanned at Jotti
D:\WINDOWS\system32\spdmesnp.dll

any results please Copy & Paste them in your next reply



Step 2

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
  • Please post the contents of C:\vundofix.txt in your next reply
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.

In your next reply please post:

A new HijackThis log
The C:\vundofix.txt
and the Jotti results

Thank you

#6 wishmd

wishmd
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 27 July 2007 - 07:29 AM

Per your request:
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1



File to upload & scan:



Service
Service load: 0% 100%

File: EB5F0FFAD7.sys
Status: OK
MD5: a9cd645d7754f07532bf36b8db869aab
Packers detected: -
Bit9 reports: File not found


Scanner results
Scan taken on 27 Jul 2007 12:00:36 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by


Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!




Statistics
Last file scanned at least one scanner reported something about: as2.exe (MD5: 1aaf95f0046ccc5de91ad7bf94ea2b51, size: 45724 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir X
ArcaVir Heur.Win32
Avast X
AVG Antivirus HackTool.crack
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control W32/Suspicious_U.gen
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus Mal/Packer
VirusBuster Packed/Upack
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright 2004-2007 Jordi Bosveld <jotti@jotti.org>




Please note:
File D:WINDOWS\System32\spdmesnp.dll not found
No Vundo files found during scan


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:05 AM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Palm\HOTSYNC.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - D:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - D:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Palm MulitUser Config] D:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: HotSync Manager.lnk = ?
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - res://D:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - D:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - D:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - D:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - D:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/Activ...iveXClient1.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129170458895
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.ne...bls_speedop.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://72.32.179.44/filter/cameraviewer/isetup.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3934CDA7-6DE9-4A13-9C4E-D5AC92CE6900}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{3934CDA7-6DE9-4A13-9C4E-D5AC92CE6900}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{3934CDA7-6DE9-4A13-9C4E-D5AC92CE6900}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - D:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 11556 bytes

#7 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 AM

Posted 29 July 2007 - 12:31 PM

Hello wishmd

Go to Start > Run, copy and paste this entry below into the text box and hit OK.

regedit /e C:\export1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Please Navigate to your Local Disk (C:) folder for the export1.txt & post this to me


I would also like to ask about the Symantec entry showing in your HijackThis log are you using any software related to Norton at all..?

ourwilly. :thumbsup:

#8 wishmd

wishmd
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 29 July 2007 - 01:07 PM

The contents of regedit1.txt:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="D:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Windows Defender"="\"D:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"ZoneAlarm Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Palm MulitUser Config"="D:\\Program Files\\Palm\\Configtool.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Photo Downloader"="\"D:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""



Also, I am not using any Symantec products at all.

Thanks.

#9 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 AM

Posted 29 July 2007 - 02:38 PM

Hello wishmd

Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

Close any Explorer windows which may be open and click the "Fix Checked" button.


Double-click on My Computer, Double-click on Local Disk and navigate to then Right Click on and Delete the following Bold folder if listed

D:\Program Files\Common Files\Symantec Shared

---------------------------------

Now please go to Start | Control Panel | Add/Remove Programs and Uninstall any item with Java Runtime Environment (JRE) in the name

Restart the computer.

Now CLICK HERE select the Download button next to "Java Runtime Environment (JRE) 6 Update 2"
"Accept" the License Agreement Then choose the First download link "Windows Offline Installation, Multi-language".
Please note - You must Install this version Offline.


Once you have done this can you please let me know how your system is running.

Thank you.

#10 wishmd

wishmd
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 29 July 2007 - 03:26 PM

I've done all that you asked. The system seems to be running well. Thanks much.

#11 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 AM

Posted 30 July 2007 - 09:49 AM

Hello wishmd

That's great news can you please now "Disable" and then "Re-Enable" System Restore.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

and you may wish to Bookmark these Tutorials for future reference:

So how did I get infected in the first place?
Simple and easy ways to keep your computer safe and secure on the Internet
Slow System

Thank you.

#12 wishmd

wishmd
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 30 July 2007 - 11:09 AM

Thank you very much for your help in getting this matter resolved. While my financial situation prevents me from making a contribution to you at this time (I will keep this link and perhpas make one when my situation improves), I would certainly encourage anyone that is helped by this fabulous service to make a donation to keep this site alive and thriving.

All the best to you and your team.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users