Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winantivirus And Drivecleaner Plus More


  • Please log in to reply
61 replies to this topic

#1 Stefani

Stefani

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 27 August 2007 - 10:14 PM

Please help! Things are only getting worse.

First the symptoms. My browser is constantly hijacked by winantivirus.com and drivecleaner.com. I have a red and white X in my tray which links to drivecleaner.com that I can't get rid of. I'm getting popups indicating my system is infected and urging me to get software to fix it. Taskmanager has been disabled.

What I've done so far. Ran Hijackthis v1.99 . It indicated a disabling of the Regedit in the Policies section. 07 item. Hijack can't delete this item. It suggested running a prior version. I ran v1.98 to no avail. Downloaded v2. and ran with no results. Have R0 and R1 entries referring to winantivirus that can't be deleted either.

Combofix.exe was downloaded to the desktop. Closed other windows. Ran it. It took all my security software and moved it into Qoobox along with other folders into the quarentine folder. Now Spybot, Ad-Aware, AVG7.5, and Hijack this won't run. Hijack this v2.0 was then downloaded to the desktop. Ran combofix a second time.

Downloaded Superantispyware to the desktop and ran that.

Went to Techguy website to download Combofix over again. Got error messages from both links privided in other thread pointing to Bleepingcomputer and one other site. So I ran the same Combofix that I had run earlier and it moved the Superantispyware into quarentine.

Now. They system is running slow at times with the same popups, browser hijacking, no taskmanager etc. All my securit software as mentioned is in quarentine , except for Zone alarm which is running. Can I move these files for security out of quarentine and run them? They still show in the control panel but only as a folder. I doubt they will uninstall where they are now. Don't want to delete and reinstall......what to do?

Below are my logs. 3 for Combofix, 1 for Hijackthis and one SuperAntispyware.

First Combofix run:

ComboFix 07-08-26 - "rookie" 08/25/2007 15:52:11.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.344 [GMT -7:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\rookie\APPLIC~1\install.dat
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\internet security
C:\Program Files\internet security\AdAware\aawsepersonal.exe
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\alert.wav
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\defs.ref
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\defs.ref.old
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\Lang\default.awl
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\license.txt
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\manual.chm
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask
C:\Program Files\internet security\AdAware\Ad-Aware SE Personal\unregaaw.exe
C:\Program Files\internet security\AVG\avg.exe
C:\Program Files\internet security\AVG\avg.snu
C:\Program Files\internet security\AVG\avg6cmpt.dll
C:\Program Files\internet security\AVG\avg75free_467a1008.exe
C:\Program Files\internet security\AVG\avg7dos.lng
C:\Program Files\internet security\AVG\avg7us.lng
C:\Program Files\internet security\AVG\avgabout.dll
C:\Program Files\internet security\AVG\avgamint.dll
C:\Program Files\internet security\AVG\avgamsps.dll
C:\Program Files\internet security\AVG\avgamsvr.exe
C:\Program Files\internet security\AVG\avgbat.bav
C:\Program Files\internet security\AVG\avgcc.exe
C:\Program Files\internet security\AVG\avgcckrn.dll
C:\Program Files\internet security\AVG\avgcfg.dll
C:\Program Files\internet security\AVG\avgcore.dll
C:\Program Files\internet security\AVG\avgctrl.dll
C:\Program Files\internet security\AVG\avgdos.ico
C:\Program Files\internet security\AVG\avgemc.exe
C:\Program Files\internet security\AVG\avgemcps.dll
C:\Program Files\internet security\AVG\avgemsui.dll
C:\Program Files\internet security\AVG\avgeud32.dll
C:\Program Files\internet security\AVG\avgf.dll
C:\Program Files\internet security\AVG\avghlog.dll
C:\Program Files\internet security\AVG\avginet.dll
C:\Program Files\internet security\AVG\avginet.exe
C:\Program Files\internet security\AVG\avgklib.dll
C:\Program Files\internet security\AVG\avglng.dll
C:\Program Files\internet security\AVG\avglog.dll
C:\Program Files\internet security\AVG\avgmail.dll
C:\Program Files\internet security\AVG\avgmvfl.dll
C:\Program Files\internet security\AVG\avgoff2k.dll
C:\Program Files\internet security\AVG\avgrep.dll
C:\Program Files\internet security\AVG\avgres.dll
C:\Program Files\internet security\AVG\avgrssvc.exe
C:\Program Files\internet security\AVG\avgscan.dll
C:\Program Files\internet security\AVG\avgscan.exe
C:\Program Files\internet security\AVG\avgse.dll
C:\Program Files\internet security\AVG\avgset.dll
C:\Program Files\internet security\AVG\avgtest.dll
C:\Program Files\internet security\AVG\avgtitle.dat
C:\Program Files\internet security\AVG\avgtmgr.dll
C:\Program Files\internet security\AVG\avgtres.dll
C:\Program Files\internet security\AVG\avgunarc.dll
C:\Program Files\internet security\AVG\avgupd.dll
C:\Program Files\internet security\AVG\avgupdln.exe
C:\Program Files\internet security\AVG\avgupsvc.dll
C:\Program Files\internet security\AVG\avgupsvc.exe
C:\Program Files\internet security\AVG\avguss.chm
C:\Program Files\internet security\AVG\avgvault.dll
C:\Program Files\internet security\AVG\avgvv.exe
C:\Program Files\internet security\AVG\avgw.exe
C:\Program Files\internet security\AVG\avgwb.dat
C:\Program Files\internet security\AVG\avi7.avg
C:\Program Files\internet security\AVG\contact_us.txt
C:\Program Files\internet security\AVG\dbghelp.dll
C:\Program Files\internet security\AVG\dfncfg.dat
C:\Program Files\internet security\AVG\dfncfgfr.dat
C:\Program Files\internet security\AVG\dos2nt.dll
C:\Program Files\internet security\AVG\incavi.avm
C:\Program Files\internet security\AVG\libsasl.dll
C:\Program Files\internet security\AVG\license_us.txt
C:\Program Files\internet security\AVG\microavi.avg
C:\Program Files\internet security\AVG\miniavi.avg
C:\Program Files\internet security\AVG\order_us.pdf
C:\Program Files\internet security\AVG\order_us.txt
C:\Program Files\internet security\AVG\register_us.pdf
C:\Program Files\internet security\AVG\register_us.txt
C:\Program Files\internet security\AVG\saslcrammd5.dll
C:\Program Files\internet security\AVG\sasldigestmd5.dll
C:\Program Files\internet security\AVG\sasllogin.dll
C:\Program Files\internet security\AVG\saslplain.dll
C:\Program Files\internet security\AVG\set_vers.cfg
C:\Program Files\internet security\AVG\setup.dat
C:\Program Files\internet security\AVG\setup.exe
C:\Program Files\internet security\AVG\setupus.lns
C:\Program Files\internet security\AVG\sporder.dll
C:\Program Files\internet security\AVG\upd_vers.cfg
C:\Program Files\internet security\CCleaner\ccsetup139.exe
C:\Program Files\internet security\HijackThis\backups\2hijackthis.log
C:\Program Files\internet security\HijackThis\backups\backup-20070516-194452-964
C:\Program Files\internet security\HijackThis\backups\backup-20070516-194452-964.dll
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011339-172
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011339-265
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011339-869
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011339-901
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-102
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-208
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-222
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-269
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-301
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-301.dll
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-301.inf
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-454
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-461
C:\Program Files\internet security\HijackThis\backups\backup-20070824-011340-792
C:\Program Files\internet security\HijackThis\backups\backup-20070824-015022-641
C:\Program Files\internet security\HijackThis\backups\backup-20070824-015022-862
C:\Program Files\internet security\HijackThis\backups\backup-20070824-015022-945
C:\Program Files\internet security\HijackThis\backups\backup-20070824-020730-694
C:\Program Files\internet security\HijackThis\backups\backup-20070824-020730-914
C:\Program Files\internet security\HijackThis\backups\backup-20070824-020730-997
C:\Program Files\internet security\HijackThis\backups\backup-20070824-022203-218
C:\Program Files\internet security\HijackThis\backups\backup-20070824-022203-301
C:\Program Files\internet security\HijackThis\backups\backup-20070824-022203-998
C:\Program Files\internet security\HijackThis\backups\backup-20070824-023256-482
C:\Program Files\internet security\HijackThis\backups\backup-20070824-023256-702
C:\Program Files\internet security\HijackThis\backups\backup-20070824-023256-877
C:\Program Files\internet security\HijackThis\backups\backup-20070824-032011-150
C:\Program Files\internet security\HijackThis\backups\backup-20070824-032011-335
C:\Program Files\internet security\HijackThis\backups\backup-20070824-032011-471
C:\Program Files\internet security\HijackThis\backups\backup-20070824-032011-737
C:\Program Files\internet security\HijackThis\backups\backup-20070824-032011-820
C:\Program Files\internet security\HijackThis\backups\backup-20070824-032725-342
C:\Program Files\internet security\HijackThis\backups\backup-20070824-032725-563
C:\Program Files\internet security\HijackThis\backups\backup-20070824-032725-645
C:\Program Files\internet security\HijackThis\backups\backup-20070824-101824-159
C:\Program Files\internet security\HijackThis\backups\backup-20070824-101824-222
C:\Program Files\internet security\HijackThis\backups\backup-20070824-101824-239
C:\Program Files\internet security\HijackThis\backups\backup-20070824-101824-421
C:\Program Files\internet security\HijackThis\backups\backup-20070824-101824-525
C:\Program Files\internet security\HijackThis\backups\backup-20070824-101824-526
C:\Program Files\internet security\HijackThis\backups\backup-20070824-101824-526.dll
C:\Program Files\internet security\HijackThis\backups\backup-20070824-101824-712
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115254-336
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115254-454
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115254-521
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115254-674
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115254-757
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115848-203
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115848-738
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115911-382
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115911-550
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115911-728
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115911-817
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115911-941
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115936-306
C:\Program Files\internet security\HijackThis\backups\backup-20070824-115936-841
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120325-311
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120325-642
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120342-191
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120342-201
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120342-674
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120342-678
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120342-916
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120400-315
C:\Program Files\internet security\HijackThis\backups\backup-20070824-120400-650
C:\Program Files\internet security\HijackThis\backups\backup-20070824-181811-113
C:\Program Files\internet security\HijackThis\backups\backup-20070824-181811-123
C:\Program Files\internet security\HijackThis\backups\backup-20070824-181811-206
C:\Program Files\internet security\HijackThis\backups\backup-20070824-181811-298
C:\Program Files\internet security\HijackThis\backups\backup-20070824-181811-903
C:\Program Files\internet security\HijackThis\backups\backup-20070824-182107-619
C:\Program Files\internet security\HijackThis\backups\backup-20070824-182107-622
C:\Program Files\internet security\HijackThis\backups\backup-20070824-182107-889
C:\Program Files\internet security\HijackThis\backups\backup-20070824-190514-819
C:\Program Files\internet security\HijackThis\backups\backup-20070824-190514-918
C:\Program Files\internet security\HijackThis\backups\backup-20070824-190537-510
C:\Program Files\internet security\HijackThis\backups\backup-20070824-190537-566
C:\Program Files\internet security\HijackThis\backups\backup-20070824-190537-696
C:\Program Files\internet security\HijackThis\backups\backup-20070825-150006-223
C:\Program Files\internet security\HijackThis\backups\backup-20070825-150006-229
C:\Program Files\internet security\HijackThis\backups\backup-20070825-150006-394
C:\Program Files\internet security\HijackThis\backups\backup-20070825-150006-401
C:\Program Files\internet security\HijackThis\backups\backup-20070825-150006-586
C:\Program Files\internet security\HijackThis\backups\backup-20070825-150006-615
C:\Program Files\internet security\HijackThis\backups\hijackthis.log
C:\Program Files\internet security\HijackThis\HijackThis.exe
C:\Program Files\internet security\HijackThis\hijackthis.log
C:\Program Files\internet security\HijackThis\hijackthis.zip
C:\Program Files\internet security\HijackThis\startuplist.txt
C:\Program Files\internet security\Spybot - Search & Destroy\advcheck.dll
C:\Program Files\internet security\Spybot - Search & Destroy\aports.dll
C:\Program Files\internet security\Spybot - Search & Destroy\blindman.exe
C:\Program Files\internet security\Spybot - Search & Destroy\borlndmm.dll
C:\Program Files\internet security\Spybot - Search & Destroy\Default configuration.ini
C:\Program Files\internet security\Spybot - Search & Destroy\delphimm.dll
C:\Program Files\internet security\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
C:\Program Files\internet security\Spybot - Search & Destroy\Dummies\dummy.dap.gif
C:\Program Files\internet security\Spybot - Search & Destroy\Dummies\dummy.data.xml
C:\Program Files\internet security\Spybot - Search & Destroy\Dummies\dummy.default.gif
C:\Program Files\internet security\Spybot - Search & Destroy\Dummies\dummy.related.htm
C:\Program Files\internet security\Spybot - Search & Destroy\Help\Deutsch.license.txt
C:\Program Files\internet security\Spybot - Search & Destroy\Help\English.chm
C:\Program Files\internet security\Spybot - Search & Destroy\Help\English.license.txt
C:\Program Files\internet security\Spybot - Search & Destroy\Help\English.Resident.chm
C:\Program Files\internet security\Spybot - Search & Destroy\Help\Francais.license.txt
C:\Program Files\internet security\Spybot - Search & Destroy\Help\Italiano.license.txt
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Browserpages.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\CLSIDs.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Cookies.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Cookies.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Dialer.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Dialer.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\DialerC.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Domains.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Hijackers.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\HijackersC.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Keyloggers.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\KeyloggersC.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Logs.uts
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\LSP.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\LSP.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Malware.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\MalwareC.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\OperaPlugins.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\ProcWatch.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\PUPS.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\PUPSC.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\RegWatch.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Revision.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Revision.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Searchpages.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Security.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\SecurityC.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Services.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Spybots.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\SpybotsC.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Startup.tnfo
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Targets.nfo
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Tracks.uti
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\Trojans.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\TrojansC.sbi
C:\Program Files\internet security\Spybot - Search & Destroy\Includes\URL-Blacklist.sbs
C:\Program Files\internet security\Spybot - Search & Destroy\Languages\Deutsch.sbl
C:\Program Files\internet security\Spybot - Search & Destroy\Languages\English.sbl
C:\Program Files\internet security\Spybot - Search & Destroy\Languages\Espanol.sbl
C:\Program Files\internet security\Spybot - Search & Destroy\Languages\Francais.sbl
C:\Program Files\internet security\Spybot - Search & Destroy\Languages\Italiano.sbl
C:\Program Files\internet security\Spybot - Search & Destroy\messages.zres
C:\Program Files\internet security\Spybot - Search & Destroy\OptOut.ini
C:\Program Files\internet security\Spybot - Search & Destroy\Plugins\TCPIPAddress.dll
C:\Program Files\internet security\Spybot - Search & Destroy\SDHelper.dll
C:\Program Files\internet security\Spybot - Search & Destroy\Skins\Colorblind.ini
C:\Program Files\internet security\Spybot - Search & Destroy\Skins\Italia.ini
C:\Program Files\internet security\Spybot - Search & Destroy\Skins\Italia.jpg
C:\Program Files\internet security\Spybot - Search & Destroy\Skins\Peace.ini
C:\Program Files\internet security\Spybot - Search & Destroy\Skins\Peace.jpg
C:\Program Files\internet security\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\internet security\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet security\Spybot - Search & Destroy\Tools.dll
C:\Program Files\internet security\Spybot - Search & Destroy\unins000.dat
C:\Program Files\internet security\Spybot - Search & Destroy\unins000.exe
C:\Program Files\internet security\Spybot - Search & Destroy\UnzDll.dll
C:\Program Files\internet security\Spybot - Search & Destroy\Update.exe
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\advcheck152.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\advcheck153.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\clsid.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\desc.english.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\downloaded.ini
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\help.english.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\helpres.english.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.dialer.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.hijackers.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.keyloggers.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.malware.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.pups.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.security.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.spybots.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.trojans.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\includes.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\lang.english.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\online.ini
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\plugtcpip.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\startup.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\tools15.zip
C:\Program Files\internet security\Spybot - Search & Destroy\Updates\tools212.zip
C:\Program Files\internet security\Spybot - Search & Destroy\ZipDll.dll
C:\Program Files\internet security\spybotsd14.exe
C:\WINNT\mgrs.exe
C:\WINNT\system32\{5267550F-808B-4A64-8B4F-16698E0A79C6}.exe
C:\WINNT\system32\1.txt
C:\WINNT\system32\2.txt
C:\WINNT\system32\kernel32.exe
C:\WINNT\system32\wapisvsu.exe
C:\z.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTIO256
-------\MZU_RK
-------\nm
-------\ntio256


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-25 15:50 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-24 01:01 71,168 --a------ C:\Program Files\setup.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

07-08-25 13:01 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-08-24 02:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
07-07-30 19:19 92504 --a------ C:\WINNT\system32\dllcache\cdm.dll
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 53080 --a------ C:\WINNT\system32\dllcache\wuauclt.exe
07-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
07-07-30 19:19 271224 --a------ C:\WINNT\system32\mucltui.dll
07-07-30 19:19 207736 --a------ C:\WINNT\system32\muweb.dll
07-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\dllcache\wuaueng.dll
07-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
06-03-21 03:47 1088386 --a------ C:\Program Files\AdwareAway.zip
05-09-26 20:21 11693024 --a------ C:\Program Files\GoogleEarthSetup.exe
05-08-30 13:50 53248 --a------ C:\DOCUME~1\rookie\IDFileViewer.dll
05-08-30 13:50 16384 --a------ C:\DOCUME~1\rookie\WindowHook.dll
05-08-22 13:26 26112 --a------ C:\DOCUME~1\rookie\JNIPrinter.dll
04-09-09 02:24 7428140 --a------ C:\Program Files\stctprodoml2.exe
04-08-23 10:24 8073888 --a------ C:\Program Files\streetsmartpro.exe
01-04-10 05:58 271 --ah----- C:\Program Files\DESKTOP.INI
01-04-10 05:58 21952 --ah----- C:\Program Files\FOLDER.HTT
00-07-26 05:00 32528 --a------ C:\WINNT\inf\WBFIRDMA.SYS


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\SYSTEM32\mobsync.exe]
"TCASUTIEXE"="TCAUDIAG -off" []
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [00-09-21 12:34 ]
"Adaptec DirectCD"="C:\PROGRA~1\Adaptec\DirectCD\directcd.exe" [00-06-29 01:01 ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [05-09-29 17:16 C:\WINNT\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\INTERN~2\AVG\avgcc.exe" []
"dmunu.exe"="C:\WINNT\system32\dmunu.exe" [03-06-19 12:05 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Program Files\Internet Security\HijackThis\HijackThis.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\INTERN~2\AVG\avgw.exe /RUNONCE

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
AOM.lnk - C:\Program Files\Common Files\Adobe\Web\AOM.exe [2001-07-21 23:01:30]
discfix.lnk - C:\DELL\discfix.cmd [2000-04-13 08:16:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll [07-08-24 01:01 12800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

R0 aaatimeo;aaatimeo;C:\WINNT\system32\DRIVERS\aaatimeo.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys
R1 pwd_2K;pwd_2K;C:\WINNT\system32\drivers\pwd_2K.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 3ComDMIService;3Com DMI Agent;C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
R2 BCAITDI;3Com BCAITDI DMI TDI;C:\WINNT\system32\DRIVERS\BCAItdi.sys
R2 io.sys;IO.DLL Driver;\??\C:\WINNT\system32\drivers\io.sys
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R2 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINNT\system32\Drivers\L8042mou.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S0 cda1000;cda1000;C:\WINNT\system32\DRIVERS\cda1000.sys
S1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
S2 DgivEcp;Team MFP Comm Driver;C:\WINNT\system32\Drivers\DgivEcp.Sys
S3 AvSynMgr;AVSync Manager;C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;C:\WINNT\system32\Drivers\LUsbKbd.Sys
S3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

Contents of the 'Scheduled Tasks' folder
2007-05-17 17:47:11 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Internet Security\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 15:57:01
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 15:58:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-26 15:58

--- E O F ---








Second Combofix run log:

ComboFix 07-08-26 - "rookie" 08/26/2007 17:27:04.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.521 [GMT -7:00]


((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))


2007-08-26 17:27 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_3b8.dat
2007-08-25 15:50 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-24 01:01 71,168 --a------ C:\Program Files\setup.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

09/26/05 08:21p 11693024 --a------ C:\Program Files\GoogleEarthSetup.exe
09/09/04 02:24a 7428140 --a------ C:\Program Files\stctprodoml2.exe
08/30/05 01:50p 53248 --a------ C:\DOCUME~1\rookie\IDFileViewer.dll
08/30/05 01:50p 16384 --a------ C:\DOCUME~1\rookie\WindowHook.dll
08/25/07 01:01p --------- d--h----- C:\Program Files\InstallShield Installation Information
08/24/07 02:06a --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
08/23/04 10:24a 8073888 --a------ C:\Program Files\streetsmartpro.exe
08/22/05 01:26p 26112 --a------ C:\DOCUME~1\rookie\JNIPrinter.dll
07/30/07 07:19p 92504 --a------ C:\WINNT\system32\dllcache\cdm.dll
07/30/07 07:19p 92504 --a------ C:\WINNT\system32\cdm.dll
07/30/07 07:19p 549720 --a------ C:\WINNT\system32\wuapi.dll
07/30/07 07:19p 53080 --a------ C:\WINNT\system32\wuauclt.exe
07/30/07 07:19p 53080 --a------ C:\WINNT\system32\dllcache\wuauclt.exe
07/30/07 07:19p 43352 --a------ C:\WINNT\system32\wups2.dll
07/30/07 07:19p 325976 --a------ C:\WINNT\system32\wucltui.dll
07/30/07 07:19p 271224 --a------ C:\WINNT\system32\mucltui.dll
07/30/07 07:19p 207736 --a------ C:\WINNT\system32\muweb.dll
07/30/07 07:19p 203096 --a------ C:\WINNT\system32\wuweb.dll
07/30/07 07:19p 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07/30/07 07:19p 1712984 --a------ C:\WINNT\system32\dllcache\wuaueng.dll
07/30/07 07:18p 33624 --a------ C:\WINNT\system32\wups.dll
07/26/00 05:00a 32528 --a------ C:\WINNT\inf\WBFIRDMA.SYS
04/10/01 05:58a 271 --ah----- C:\Program Files\DESKTOP.INI
04/10/01 05:58a 21952 --ah----- C:\Program Files\FOLDER.HTT
03/21/06 03:47a 1088386 --a------ C:\Program Files\AdwareAway.zip


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\SYSTEM32\mobsync.exe]
"TCASUTIEXE"="TCAUDIAG -off" []
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [09/21/00 12:34p]
"Adaptec DirectCD"="C:\PROGRA~1\Adaptec\DirectCD\directcd.exe" [06/29/00 01:01a]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/29/05 05:16p C:\WINNT\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\INTERN~2\AVG\avgcc.exe" []
"dmunu.exe"="C:\WINNT\system32\dmunu.exe" [06/19/03 12:05p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Program Files\Internet Security\HijackThis\HijackThis.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\INTERN~2\AVG\avgw.exe /RUNONCE

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
AOM.lnk - C:\Program Files\Common Files\Adobe\Web\AOM.exe [2001-07-21 23:01:30]
discfix.lnk - C:\DELL\discfix.cmd [2000-04-13 08:16:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll [08/24/07 01:01a 12800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

R0 aaatimeo;aaatimeo;C:\WINNT\system32\DRIVERS\aaatimeo.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys
R1 pwd_2K;pwd_2K;C:\WINNT\system32\drivers\pwd_2K.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 3ComDMIService;3Com DMI Agent;C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
R2 BCAITDI;3Com BCAITDI DMI TDI;C:\WINNT\system32\DRIVERS\BCAItdi.sys
R2 io.sys;IO.DLL Driver;\??\C:\WINNT\system32\drivers\io.sys
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R2 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINNT\system32\Drivers\L8042mou.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S0 cda1000;cda1000;C:\WINNT\system32\DRIVERS\cda1000.sys
S1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
S2 DgivEcp;Team MFP Comm Driver;C:\WINNT\system32\Drivers\DgivEcp.Sys
S3 AvSynMgr;AVSync Manager;C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;C:\WINNT\system32\Drivers\LUsbKbd.Sys
S3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

Contents of the 'Scheduled Tasks' folder
2007-05-17 17:47:11 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Internet Security\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 17:27:52
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 08/26/2007 17:28:47
C:\ComboFix-quarantined-files.txt ... 08/26/07 05:28p
C:\ComboFix2.txt ... 08/26/07 03:58p

--- E O F ---



Third Combofix run:


ComboFix 07-08-26 - "rookie" 08/28/2007 17:02:15.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.513 [GMT -7:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\internet security
C:\Program Files\internet security\BootSafe.exe
C:\Program Files\internet security\detect.wav
C:\Program Files\internet security\deupx.dll
C:\Program Files\internet security\msvcr71.dll
C:\Program Files\internet security\Plugins\sab_incr.dll
C:\Program Files\internet security\Plugins\sab_mapi.dll
C:\Program Files\internet security\Plugins\sab_wab.dll
C:\Program Files\internet security\PROCESSLIST.DB
C:\Program Files\internet security\PROCESSLISTRELATED.DB
C:\Program Files\internet security\SASCTXMN.DLL
C:\Program Files\internet security\sasdifsv.sys
C:\Program Files\internet security\SASENUM.SYS
C:\Program Files\internet security\SASKUTIL.SYS
C:\Program Files\internet security\SASREPAIRS.STG
C:\Program Files\internet security\SASSEH.DLL
C:\Program Files\internet security\SASWINLO.dll
C:\Program Files\internet security\SSUpdate.exe
C:\Program Files\internet security\SUPERAntiSpyware.chm
C:\Program Files\internet security\SUPERAntiSpyware.exe


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-29 )))))))))))))))))))))))))))))))


2007-08-28 15:44 <DIR> d-------- C:\DOCUME~1\rookie\APPLIC~1\SUPERAntiSpyware.com
2007-08-28 15:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-25 15:50 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-24 01:01 71,168 --a------ C:\Program Files\setup.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

07-08-28 15:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
07-08-25 13:01 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-08-24 02:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
07-07-30 19:19 92504 --a------ C:\WINNT\system32\dllcache\cdm.dll
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 53080 --a------ C:\WINNT\system32\dllcache\wuauclt.exe
07-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
07-07-30 19:19 271224 --a------ C:\WINNT\system32\mucltui.dll
07-07-30 19:19 207736 --a------ C:\WINNT\system32\muweb.dll
07-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\dllcache\wuaueng.dll
07-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
06-03-21 03:47 1088386 --a------ C:\Program Files\AdwareAway.zip
05-09-26 20:21 11693024 --a------ C:\Program Files\GoogleEarthSetup.exe
05-08-30 13:50 53248 --a------ C:\DOCUME~1\rookie\IDFileViewer.dll
05-08-30 13:50 16384 --a------ C:\DOCUME~1\rookie\WindowHook.dll
05-08-22 13:26 26112 --a------ C:\DOCUME~1\rookie\JNIPrinter.dll
04-09-09 02:24 7428140 --a------ C:\Program Files\stctprodoml2.exe
04-08-23 10:24 8073888 --a------ C:\Program Files\streetsmartpro.exe
01-04-10 05:58 271 --ah----- C:\Program Files\DESKTOP.INI
01-04-10 05:58 21952 --ah----- C:\Program Files\FOLDER.HTT
00-07-26 05:00 32528 --a------ C:\WINNT\inf\WBFIRDMA.SYS


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\SYSTEM32\mobsync.exe]
"TCASUTIEXE"="TCAUDIAG -off" []
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [00-09-21 12:34 ]
"Adaptec DirectCD"="C:\PROGRA~1\Adaptec\DirectCD\directcd.exe" [00-06-29 01:01 ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [05-09-29 17:16 C:\WINNT\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\INTERN~2\AVG\avgcc.exe" []
"dmunu.exe"="C:\WINNT\system32\dmunu.exe" []
"dmjmo.exe"="C:\WINNT\system32\dmjmo.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\rookie\Desktop\HijackThis.exe" [04-08-07 15:14 ]
"SUPERAntiSpyware"="C:\Program Files\Internet Security\SUPERAntiSpyware.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\INTERN~2\AVG\avgw.exe /RUNONCE

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
AOM.lnk - C:\Program Files\Common Files\Adobe\Web\AOM.exe [2001-07-21 23:01:30]
discfix.lnk - C:\DELL\discfix.cmd [2000-04-13 08:16:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll [07-08-24 01:01 12800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\Internet Security\SASSEH.DLL [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\Internet Security\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

R0 aaatimeo;aaatimeo;C:\WINNT\system32\DRIVERS\aaatimeo.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys
R1 pwd_2K;pwd_2K;C:\WINNT\system32\drivers\pwd_2K.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 3ComDMIService;3Com DMI Agent;C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
R2 BCAITDI;3Com BCAITDI DMI TDI;C:\WINNT\system32\DRIVERS\BCAItdi.sys
R2 io.sys;IO.DLL Driver;\??\C:\WINNT\system32\drivers\io.sys
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R2 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINNT\system32\Drivers\L8042mou.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S0 cda1000;cda1000;C:\WINNT\system32\DRIVERS\cda1000.sys
S1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
S2 DgivEcp;Team MFP Comm Driver;C:\WINNT\system32\Drivers\DgivEcp.Sys
S2 Windows Management Service;Windows Management Service;C:\WINNT\system32\dmwev.exe -service
S3 AvSynMgr;AVSync Manager;C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;C:\WINNT\system32\Drivers\LUsbKbd.Sys
S3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys


Contents of the 'Scheduled Tasks' folder
2007-05-17 17:47:11 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Internet Security\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-28 17:07:39
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-28 17:09:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-28 17:09
C:\ComboFix2.txt ... 07-08-26 17:28
C:\ComboFix3.txt ... 07-08-26 15:58

--- E O F ---







SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/28/2007 at 04:37 PM

Application Version : 3.9.1008

Core Rules Database Version : 3292
Trace Rules Database Version: 1303

Scan type : Complete Scan
Total Scan Time : 00:38:22

Memory items scanned : 407
Memory threats detected : 0
Registry items scanned : 4585
Registry threats detected : 0
File items scanned : 26992
File threats detected : 45

Adware.Tracking Cookie
C:\Documents and Settings\rookie\Cookies\rookie@1070847646[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@ads.ft[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@specificclick[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@questionmarket[2].txt
C:\Documents and Settings\rookie\Cookies\rookie@tribalfusion[2].txt
C:\Documents and Settings\rookie\Cookies\rookie@adopt.euroclick[2].txt
C:\Documents and Settings\rookie\Cookies\rookie@adopt.specificclick[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@anad.tacoda[2].txt
C:\Documents and Settings\rookie\Cookies\rookie@1069551092[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@1070922802[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@trafficmp[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@1067468674[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@interclick[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@adbrite[2].txt
C:\Documents and Settings\rookie\Cookies\rookie@ex=1_[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@cgi-bin[2].txt
C:\Documents and Settings\rookie\Cookies\rookie@tacoda[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@www.burstnet[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@ads.pointroll[1].txt
C:\Documents and Settings\rookie\Cookies\rookie@1070299046[1].txt

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\WAPISVSU.EXE.VIR

Adware.BonziBuddy
C:\WINNT\DOWNLOADED PROGRAM FILES\BBSETUPMSN.EXE

Trace.Known Threat Sources
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\0X6FO5Y3\CA4NY58J.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\SL6NOXMB\CAG52VGD.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\25696TA3\custom[3]
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\WDGTMRKL\CASHYJS5.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\25696TA3\CASJEPMT.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\25696TA3\615173-solved-hijack-log-please-help[1].html
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\MH8BY52P\601676-vundo-removal-help[1].html
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\CDUZWDEZ\go.winantivirus[1].htm
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\IZMJY9I7\CAEBWJDA.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\25696TA3\CAMN8LMJ.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\K127OFCZ\CA85I7Q3.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\K127OFCZ\CAEZM3YH.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\WDGTMRKL\615212-solved-winantivirus-pro-2007-hjt[1].html
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\IZMJY9I7\CAGTCXOB.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\SL6NOXMB\CA232ZYP.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\STEJ0TUZ\CALK723H.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\MH8BY52P\CACTAFSH.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\CDUZWDEZ\CAZ6Y5NF.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\IZMJY9I7\614412-trojans-adware-malware[1].html
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\WDGTMRKL\CA741JBS.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\I5YTORKB\CAYDONGZ.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\K127OFCZ\CA7U0ZBX.
C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\MX0JGHCL\CA1CJ6BD.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:52 PM, on 8/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\rookie\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\ROOKIE\Application Data\Mozilla\Profiles\default\xdgi64ri.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROOKIE\Application Data\Mozilla\Profiles\default\xdgi64ri.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\INTERN~2\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dmunu.exe] C:\WINNT\system32\dmunu.exe
O4 - HKLM\..\Run: [dmjmo.exe] C:\WINNT\system32\dmjmo.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\rookie\Desktop\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\Internet Security\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\INTERN~2\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: AOM.lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe (User 'Default user')
O4 - .DEFAULT Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - .DEFAULT User Startup: AOM.lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\Epson\ESM2\STMS.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://www.ahern.ws/AW3/Portal/resources/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159215194717
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159214987449
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Internet Security\SASWINLO.dll (file missing)
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\INTERN~2\AVG\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\INTERN~2\AVG\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\INTERN~2\AVG\avgemc.exe (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\system32\dmwev.exe
O24 - Desktop Component 0: (no name) - http://www.fordvehicles.com/fordgt/images/..._concept_06.jpg

--
End of file - 7735 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 28 August 2007 - 04:56 PM

Stefani,

Please don't do anything with the computer right now, K? I want the developer to look at your thread. Then we'll see about fixing everything up for you. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 29 August 2007 - 02:27 PM

Hi Stefani,

The maker of ComboFix took a look for us. Thanks sUBs. :flowers:

Here's what happened :

ComboFix quarantined everything in the "Internet Security" folder. Why? "Internet Security" is one of the names a ZLOB infection uses. So ComboFix saw that and said OOPS, this is bad, needs to go. :thumbsup:

Copy "Internet Security" from C:\qoobox\quarantine\c\program files\ back to it's original location.

Reboot & uninstall ALL of those programs.

Reboot & reinstall them back to their default locations. In the future, don't make specific folders, or this could happen again.

Let me know how it comes out. If you still have problems, we'll go from there. :huh:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 Stefani

Stefani
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 29 August 2007 - 03:29 PM

Tea,
The programs were copied back to the internet security folder. The uninstall from the control panel indicated that each program was not there or already uninstalled. It asked if I wanted to delete the item from the uninstall list in the control panel. I did delete all of them from the ininstall list. The reason they wouldn.t uninstall may have been that all the files were changed to a .vir extension when they were quarentined and this is what wa copied back to the Internet Security file. I will now reinstall all these programs to their default folders. OK?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 29 August 2007 - 03:45 PM

Okie dokie.....and no more "Internet Security" folder, right? :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Stefani

Stefani
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 29 August 2007 - 05:50 PM

Current status:

The programs would not uninstall through the control panel add/remove programs because the file extensions are now .vir and they were moved to the Qoobox. I did delete the items from the add/remove programs list, but this did not get rid of the .vir files that had been copied from the Qoobox back to the Programs/Internet Security folder.

At this point I rebooted then downloaded the programs again to their default folders. I ran the installation on all of them - AdAware, Spybot, Hijack this, AVG 7.5, CCleaner and Superantispyware.

I have not rebooted after installation of the programs. These programs are currently not running. The Internet Security folders still exist in the Qoobox and in the Programs directories where they each contain the .vir extension files for all these programs because they wouldn't uninstall.

Now my computer hangs up if I try to access the Control Panel Add/Remove Programs list and I can't see it. I do not have access to the Taskmanager.

So now its your call. Do I need to reboot? Should I delete any of the .vir files in the Qoobox or Programs directories along with the related Internet Security folders? Should I start all the newly installed programs and run them?

#7 Stefani

Stefani
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 29 August 2007 - 06:03 PM

Let me clarify and sumarize. The old Internet Security folders are there and the only thing in them are the .vir quarentine versions of the programs. All the newly installed programs are in default folders and not in Internet Security.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 29 August 2007 - 06:39 PM

Delete Qoobox all together, and delete the folder Internet Security that you made. Reboot and see how it runs then. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Stefani

Stefani
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 29 August 2007 - 07:27 PM

OK. I still don't have task manager. The Control Panel Remove Programs screen hangs up and doesn't completely load. I still have a white x in a red circle icon in the tray that links to drivecleaner.com but the page doesn't load in the browser. The machine runs slower. Still getting two popups warning that my system is infected and linking to winanitvirus.com and drivecleaner.com. I still have 2 hijackthis 07 items that I can't delete that read DisableRegitedit=1. There are other HJT items that look suspicious. My home page keeps getting hijacked by http//go.winantivirus.com which is blank.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 29 August 2007 - 07:55 PM

Hello,

Okay, if your security programs are working now, then we start on the badguys malware! :flowers: That's what is causing the problems you mentioned.

Can you download HijackThis and post me a log now? That would be great. :thumbsup: Also run ComboFix again. It should be on the right track this time. Post the report in your reply, please.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Stefani

Stefani
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 29 August 2007 - 08:15 PM

HEre's the HJT log. Can I run the same version of combofix that I downloaded on August 25th? My understanding is that I don't have to be in safe mode to do this. Is that correct?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:12 PM, on 8/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Documents and Settings\rookie\Desktop\HijackThis.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\ROOKIE\Application Data\Mozilla\Profiles\default\xdgi64ri.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROOKIE\Application Data\Mozilla\Profiles\default\xdgi64ri.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dmunu.exe] C:\WINNT\system32\dmunu.exe
O4 - HKLM\..\Run: [dmjmo.exe] C:\WINNT\system32\dmjmo.exe
O4 - HKLM\..\Run: [dmqqt.exe] C:\WINNT\system32\dmqqt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\rookie\Desktop\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: AOM.lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe (User 'Default user')
O4 - .DEFAULT Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - .DEFAULT User Startup: AOM.lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\Epson\ESM2\STMS.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://www.ahern.ws/AW3/Portal/resources/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159215194717
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159214987449
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\system32\dmvuu.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.fordvehicles.com/fordgt/images/..._concept_06.jpg

--
End of file - 9216 bytes

#12 Stefani

Stefani
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 29 August 2007 - 09:41 PM

I downloaded Combofix.exe again and ran it. Here's the log. Since I downloaded all the program files I have ran two of them. Spybot ran before the HiJack this log I gave you. Adaware was running when I sent the HJT log. Hope this doesn't mess things up.

ComboFix 07-08-30.2 - "rookie" 08/30/2007 19:12:42.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.470 [GMT -7:00]


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-30 19:12 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_440.dat
2007-08-30 15:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-30 15:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-30 15:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-30 14:48 <DIR> d-------- C:\WINNT\winsxs
2007-08-30 14:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-29 22:27 <DIR> d-------- C:\VundoFix Backups
2007-08-28 15:44 <DIR> d-------- C:\DOCUME~1\rookie\APPLIC~1\SUPERAntiSpyware.com
2007-08-28 15:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-25 15:50 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-24 01:01 71,168 --a------ C:\Program Files\setup.exe
2007-08-07 13:58 8,064 --a------ C:\WINNT\SYSTEM32\DRIVERS\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINNT\SYSTEM32\DRIVERS\NSDriver.sys
2007-07-11 14:37 5,376 --a------ C:\WINNT\SYSTEM32\DRIVERS\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

09/26/05 08:21p 11693024 --a------ C:\Program Files\GoogleEarthSetup.exe
09/09/04 02:24a 7428140 --a------ C:\Program Files\stctprodoml2.exe
08/30/05 01:50p 53248 --a------ C:\DOCUME~1\rookie\IDFileViewer.dll
08/30/05 01:50p 16384 --a------ C:\DOCUME~1\rookie\WindowHook.dll
08/25/07 01:01p --------- d--h----- C:\Program Files\InstallShield Installation Information
08/24/07 02:06a --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
08/23/04 10:24a 8073888 --a------ C:\Program Files\streetsmartpro.exe
08/22/05 01:26p 26112 --a------ C:\DOCUME~1\rookie\JNIPrinter.dll
07/30/07 07:19p 92504 --a------ C:\WINNT\system32\dllcache\cdm.dll
07/30/07 07:19p 92504 --a------ C:\WINNT\system32\cdm.dll
07/30/07 07:19p 549720 --a------ C:\WINNT\system32\wuapi.dll
07/30/07 07:19p 53080 --a------ C:\WINNT\system32\wuauclt.exe
07/30/07 07:19p 53080 --a------ C:\WINNT\system32\dllcache\wuauclt.exe
07/30/07 07:19p 43352 --a------ C:\WINNT\system32\wups2.dll
07/30/07 07:19p 325976 --a------ C:\WINNT\system32\wucltui.dll
07/30/07 07:19p 271224 --a------ C:\WINNT\system32\mucltui.dll
07/30/07 07:19p 207736 --a------ C:\WINNT\system32\muweb.dll
07/30/07 07:19p 203096 --a------ C:\WINNT\system32\wuweb.dll
07/30/07 07:19p 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07/30/07 07:19p 1712984 --a------ C:\WINNT\system32\dllcache\wuaueng.dll
07/30/07 07:18p 33624 --a------ C:\WINNT\system32\wups.dll
07/26/00 05:00a 32528 --a------ C:\WINNT\inf\WBFIRDMA.SYS
04/10/01 05:58a 271 --ah----- C:\Program Files\DESKTOP.INI
04/10/01 05:58a 21952 --ah----- C:\Program Files\FOLDER.HTT
03/21/06 03:47a 1088386 --a------ C:\Program Files\AdwareAway.zip


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\SYSTEM32\mobsync.exe]
"TCASUTIEXE"="TCAUDIAG -off" []
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [09/21/00 12:34p]
"Adaptec DirectCD"="C:\PROGRA~1\Adaptec\DirectCD\directcd.exe" [06/29/00 01:01a]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/29/05 05:16p C:\WINNT\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/30/07 03:07p]
"dmunu.exe"="C:\WINNT\system32\dmunu.exe" []
"dmjmo.exe"="C:\WINNT\system32\dmjmo.exe" []
"dmqqt.exe"="C:\WINNT\system32\dmqqt.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/07 04:00a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/19/04 03:33p]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/07 03:06a]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/07 03:53p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\rookie\Desktop\HijackThis.exe" [08/28/07 08:08p]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/07 02:06p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
AOM.lnk - C:\Program Files\Common Files\Adobe\Web\AOM.exe [2001-07-21 23:01:30]
discfix.lnk - C:\DELL\discfix.cmd [2000-04-13 08:16:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll [08/24/07 01:01a 12800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

R0 aaatimeo;aaatimeo;C:\WINNT\system32\DRIVERS\aaatimeo.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys
R1 pwd_2K;pwd_2K;C:\WINNT\system32\drivers\pwd_2K.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 3ComDMIService;3Com DMI Agent;C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
R2 BCAITDI;3Com BCAITDI DMI TDI;C:\WINNT\system32\DRIVERS\BCAItdi.sys
R2 io.sys;IO.DLL Driver;\??\C:\WINNT\system32\drivers\io.sys
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
R2 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S0 cda1000;cda1000;C:\WINNT\system32\DRIVERS\cda1000.sys
S2 DgivEcp;Team MFP Comm Driver;C:\WINNT\system32\Drivers\DgivEcp.Sys
S3 AvSynMgr;AVSync Manager;C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;C:\WINNT\system32\Drivers\LUsbKbd.Sys
S3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys


Contents of the 'Scheduled Tasks' folder
2007-05-17 17:47:11 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Internet Security\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 19:14:45
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 08/30/2007 19:15:45
C:\ComboFix-quarantined-files.txt ... 08/30/07 07:15p
C:\ComboFix2.txt ... 08/28/07 05:09p
C:\ComboFix3.txt ... 08/26/07 05:28p

--- E O F ---

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 30 August 2007 - 04:00 PM

Hello Stefani,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
O4 - HKLM\..\Run: [dmunu.exe] C:\WINNT\system32\dmunu.exe
O4 - HKLM\..\Run: [dmjmo.exe] C:\WINNT\system32\dmjmo.exe
O4 - HKLM\..\Run: [dmqqt.exe] C:\WINNT\system32\dmqqt.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\system32\dmvuu.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.fordvehicles.com/fordgt/images/..._concept_06.jpg


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Reboot your computer.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply. Also let me know how it's running now.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Stefani

Stefani
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 30 August 2007 - 06:15 PM

Hey Tea,
Here's the logs and some comments:

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:25 PM, on 8/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\notepad.exe
C:\Documents and Settings\rookie\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://go.winantivirus.com/MTQwODY=/4642/ax=1/ed=1/ex=1//
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\ROOKIE\Application Data\Mozilla\Profiles\default\xdgi64ri.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROOKIE\Application Data\Mozilla\Profiles\default\xdgi64ri.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\rookie\Desktop\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: AOM.lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe (User 'Default user')
O4 - .DEFAULT Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - .DEFAULT User Startup: AOM.lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\Epson\ESM2\STMS.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://www.ahern.ws/AW3/Portal/resources/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159215194717
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159214987449
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8583 bytes








SmitFraudFix v2.218

Scan done at 15:56:55.87, Thu 08/30/2007
Run from C:\Documents and Settings\rookie\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe

hosts


C:\


C:\WINNT

C:\WINNT\toolbar.exe FOUND !

C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\rookie


C:\Documents and Settings\rookie\Application Data


Start Menu


C:\DOCUME~1\rookie\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"="Windows Installer Class"

[HKEY_CLASSES_ROOT\CLSID\{24E31EA9-FCE2-404F-BD80-20543565D946}\InProcServer32]
@="C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{24E31EA9-FCE2-404F-BD80-20543565D946}\InProcServer32]
@="C:\DOCUME~1\rookie\LOCALS~1\Temp\~~install.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: 3Com EtherLink PCI
DNS Server Search Order: 68.87.76.178
DNS Server Search Order: 68.87.78.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6E2B1456-4BA3-49FC-A461-63FAFDE5283A}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8868156-8E81-4DE6-BC68-98E3D4E5C703}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6E2B1456-4BA3-49FC-A461-63FAFDE5283A}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8868156-8E81-4DE6-BC68-98E3D4E5C703}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6E2B1456-4BA3-49FC-A461-63FAFDE5283A}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8868156-8E81-4DE6-BC68-98E3D4E5C703}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130


Scanning for wininet.dll infection


End


Most of the HJT deletions just keep coming back.

My control panel is different than you described. I'm running 2000 Professional and from the control panel>display properties the tabs are background, screensaver, appearance, web, effects, settings.

In this area, I have deleted the "background" image, There is no screensaver running, I've unchecked "show web content on active desktop, and checked the box for My current home page.

There seems to be no change in how the system is running from previous description. Still have the same popups every few minutes, red x in the tray, no task manager, HJT won't edit certain entries.

Positive note: I do have the Add/remove programs window back functioning in the control panel.

#15 Stefani

Stefani
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 30 August 2007 - 06:42 PM

Tea,

Fyi hear is the log for recent AVG 7.5 scans. The last one was yesterday after the reinstallion of AVG. Note the Zlob.JN item.


"","","Trojan horse Downloader.Zlob.JN","C:\Program Files\setup.exe","8/29/2007 9:41:10 PM","setup.exe","69.5 KB"
"","","Virus found Small","C:\WINNT\xlkk.exe","8/24/2007 9:50:38 AM","xlkk.exe","2 KB"
"","","Trojan horse Downloader.Small.OY","C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\VFX9F4U3\hlpsrv[1].exe","8/24/2007 1:59:19 AM","hlpsrv[1].exe","10 KB"
"","","Trojan horse Downloader.Small.OY","C:\WINNT\SYSTEM32\hlpsrv.exe","8/24/2007 1:04:50 AM","hlpsrv.exe","10 KB"
"","","Trojan horse Downloader.Small.OY","C:\WINNT\SYSTEM32\hlpsrv.exe","8/24/2007 1:04:32 AM","hlpsrv.exe","10 KB"
"","","Trojan horse Downloader.Small.OY","C:\Documents and Settings\rookie\Local Settings\Temporary Internet Files\Content.IE5\8XGGQ6WD\hlpsrv[1].exe","8/24/2007 1:04:26 AM","hlpsrv[1].exe","10 KB"
"","","Trojan horse Downloader.Small.OY","C:\WINNT\SYSTEM32\hlpsrv.exe","8/24/2007 1:00:49 AM","hlpsrv.exe","10 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{28E324BD-CD70-4822-9954-C2F8000BE590}.exe","8/24/2007 12:41:55 AM","{28E324BD-CD70-4822-9954-C2F8000BE590}.exe","51.54 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{ADDA5902-B25B-4E6B-A043-62DAD527884C}.exe","8/24/2007 12:35:55 AM","{ADDA5902-B25B-4E6B-A043-62DAD527884C}.exe","51.54 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{634758BD-26A3-4C99-AD45-8BDDB104704D}.exe","8/24/2007 12:29:54 AM","{634758BD-26A3-4C99-AD45-8BDDB104704D}.exe","51.54 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{12967FC6-9DC0-4863-86C4-266A0A36BA0B}.exe","8/24/2007 12:23:55 AM","{12967FC6-9DC0-4863-86C4-266A0A36BA0B}.exe","51.54 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{B0778DA1-755C-413D-9B71-7F6BEF07C3C6}.exe","8/24/2007 12:17:56 AM","{B0778DA1-755C-413D-9B71-7F6BEF07C3C6}.exe","51.54 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{3971BC8D-8C52-44F3-93AD-D1BF6BF2175C}.exe","8/23/2007 11:52:15 PM","{3971BC8D-8C52-44F3-93AD-D1BF6BF2175C}.exe","51.54 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{2C2B1847-69D2-42EB-9BE4-BFEC9917B70B}.exe","8/23/2007 11:46:16 PM","{2C2B1847-69D2-42EB-9BE4-BFEC9917B70B}.exe","51.54 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{57461A6B-C6C0-4DD0-884C-532709F76B0A}.exe","8/23/2007 11:40:13 PM","{57461A6B-C6C0-4DD0-884C-532709F76B0A}.exe","51.54 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{1258F828-B707-49BC-BB51-D4E35BD2CDBB}.exe","8/23/2007 11:34:14 PM","{1258F828-B707-49BC-BB51-D4E35BD2CDBB}.exe","51.54 KB"
"","","Trojan horse Downloader.Generic5.DJQ","C:\Documents and Settings\rookie\Desktop\ieupdr2.exe","8/23/2007 11:29:47 PM","ieupdr2.exe","13.38 KB"
"","","Trojan horse Downloader.Agent.KJX","C:\WINNT\SYSTEM32\{1464193A-5A19-44E8-ACDD-D22E2AE83E1B}.exe","8/23/2007 11:29:38 PM","{1464193A-5A19-44E8-ACDD-D22E2AE83E1B}.exe","51.54 KB"
"","","Trojan horse Downloader.Generic5.DJQ","C:\Documents and Settings\rookie\ie_update3r.exe","8/23/2007 11:29:14 PM","ie_update3r.exe","13.38 KB"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users