Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:win32/small


  • This topic is locked This topic is locked
13 replies to this topic

#1 jmay

jmay

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 09 September 2007 - 03:45 PM

I started getting these pop ups from windows live one care: Trojan:Win32/small,Trojan Downloader:Win32/Renos and also Trojan:Win32/Systemhijack.gen. My system was really and still is slow.Also it would not let me delete any program files saying i am not the system administrator.I am no computer genius by any means but it seemed to be located in C:/Windows/system32/hrum because everytime i would pass the mouse pointer over this file the pop up Trojan: Win32/small from windows live onecare would come up.I went through all the steps from the preparation guide before posting this.The downloads found a lot of infected files and cleaned them and now it will let me delete program files but my system is still slow. l figured i would post this and see what it looks like to you. Thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:19 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PAVJOBS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RegSweep] C:\Program Files\RegSweep\RegSweep.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas1a2.exe" /minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe /STARTUP
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\JERRY\Application Data\AdwareAlert\Quarantine\23-08-2007-20-48-13\43.qit
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1189365208828
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum242.txt
O23 - Service: AdwareAlert Scanning Engine (AdwareAlertSrv) - Unknown owner - C:\Program Files\AdwareAlert\AdwareAlertSrv.srv.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9762 bytes

BC AdBot (Login to Remove)

 


#2 jmay

jmay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 17 September 2007 - 07:12 PM

Just wondering if i entered something wrong or if it usually takes this long for a response....

#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 19 September 2007 - 12:32 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
We're inundated with logs at the moment, so many people have to wait for a while for a reply.
If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:
Preparation Guide For Use Before Posting A Hijackthis Log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 jmay

jmay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 September 2007 - 08:56 PM

I previously followed all the preparation guide steps and here is the hijackthis log i reran...thanks for your help!!!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:18 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RegSweep] C:\Program Files\RegSweep\RegSweep.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas1a2.exe" /minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe /STARTUP
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\JERRY\Application Data\AdwareAlert\Quarantine\23-08-2007-20-48-13\43.qit
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1189365208828
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum242.txt
O23 - Service: AdwareAlert Scanning Engine (AdwareAlertSrv) - Unknown owner - C:\Program Files\AdwareAlert\AdwareAlertSrv.srv.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9650 bytes

#5 jmay

jmay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 September 2007 - 09:33 PM

020 C:\Windows\system32\hrum242.txt is this a trojan?...before I ran all the steps in the preparation guide each time I passed the mouse pointer over this file Onecare would popup the Trojan:win32/small popup and I could not delete it.After I ran all the steps in the preparation guide i could delete programs and it previously would not let me.Thanks...

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 20 September 2007 - 03:14 PM

Hello again,
Yes that file is malicious and needs removing :thumbsup:
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe /STARTUP
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\JERRY\Application Data\AdwareAlert\Quarantine\23-08-2007-20-48-13\43.qit
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum242.txt


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following folder (if present):

C:\Program Files\MalwareRemover.com

Reboot into Normal Mode again.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

In your reply I'd like both the Combofix log and a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 jmay

jmay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 22 September 2007 - 10:55 PM

Here is the ComboFix and new Hijack logs...thanks for your help

ComboFix 07-09-21.2 - "JERRY" 2007-09-22 22:39:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.121 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\explore.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.

2007-09-22 22:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-09 15:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-06 22:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-06 22:22 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-06 22:22 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-06 22:22 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-06 22:22 520,224 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-06 22:22 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-06 22:20 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-04 23:02 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-09-04 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-09-04 22:58 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-09-04 22:58 51,256 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-09-04 22:58 37,304 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-09-04 22:58 30,648 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-09-04 22:58 261 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-09-04 22:58 228,564 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-09-04 22:58 191,672 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-09-04 22:57 71,736 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-09-04 22:57 22,072 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-09-04 22:57 132,920 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-09-04 22:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Backup
2007-09-04 22:56 <DIR> d-------- C:\Program Files\Panda Security
2007-09-04 22:53 38,968 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-09-04 22:53 178,872 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-09-04 22:46 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-09-04 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-01 20:20 6,144 --a------ C:\WINDOWS\wwdasdwdac.exe
2007-08-29 20:33 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-23 20:48 <DIR> d-------- C:\DOCUME~1\JERRY\APPLIC~1\AdwareAlert
2007-08-22 22:26 1,617 --a------ C:\DOCUME~1\JERRY\was0008.exe
2007-08-22 21:30 61,440 --a------ C:\WINDOWS\system32\drivers\CDAVFS.sys
2007-08-22 21:03 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2007-08-22 21:03 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-08-22 20:51 <DIR> d-------- C:\DOCUME~1\JERRY\APPLIC~1\RegSweep
2007-08-22 18:49 39,424 --a------ C:\WINDOWS\system32\vtr.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-22 22:28 228564 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-09-22 22:28 1224 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-09-22 22:28 1224 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-09-22 09:08 6860 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-04 22:56 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-02 08:38 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-31 02:25 142696 --a------ C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-19 01:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 18:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-12 08:42 292144 --a------ C:\WINDOWS\system32\PavSHook.dll
2007-07-10 16:02 37027 --a------ C:\WINDOWS\atmoUn.exe
2007-06-27 09:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 09:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 09:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 09:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 09:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 09:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 09:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 09:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 09:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 09:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 03:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 02:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-07 11:39]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-07 11:39]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 12:06]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [2007-07-23 18:30]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 15:17]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"RegSweep"="C:\Program Files\RegSweep\RegSweep.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdas1a2.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-07 11:33:24]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S2 AdwareAlertSrv;AdwareAlert Scanning Engine;"C:\Program Files\AdwareAlert\AdwareAlertSrv.srv.exe"
S3 UWProSys;Process monitor.;\??\C:\Program Files\CyberDefender\AntiSpyware\uwprosys.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 01:52:44 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-09-20 02:16:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-08-16 23:33:31 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe
"2007-09-05 01:52:46 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 22:46:00
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-22 22:49:03
C:\ComboFix-quarantined-files.txt ... 2007-09-22 22:49
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:25 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\avciman.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\psimreal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RegSweep] C:\Program Files\RegSweep\RegSweep.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas1a2.exe" /minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1189365208828
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: AdwareAlert Scanning Engine (AdwareAlertSrv) - Unknown owner - C:\Program Files\AdwareAlert\AdwareAlertSrv.srv.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9305 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 23 September 2007 - 02:55 PM

I'd like to take a look at a couple of files in your computer before we continue.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the Desktop but do not run it yet.

Then reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Paste the following bold part into the Suspicious File Packer window:
C:\WINDOWS\wwdasdwdac.exe
C:\Documents and Settings\JERRY\was0008.exe

Allow SFP to pack the file.
This will generate a CAB archive on your Desktop.

Boot back into Normal Mode again.

Go to this page.
Enter the URL of this thread in the first field.
Where it says: "Browse to the file that you want to submit", click the Choose ... button next to the second field and browse to the CAB archive that was been created on your Desktop.
The CAB file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Please let me know when you have submitted the files.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 jmay

jmay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 23 September 2007 - 08:48 PM

The requested file has been submitted...thanks,Jerry

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 25 September 2007 - 04:13 PM

Thanks for submitting the files for me.
This entry can now be fixed with HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\wwdasdwdac.exe
C:\Documents and Settings\JERRY\was0008.exe
C:\WINDOWS\system32\vtr.dll


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

In your reply I'd like to see a new Combofix log, and I'd also like some information about how things seem to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 jmay

jmay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 25 September 2007 - 06:56 PM

I fixed the RO_HKCU with HiJackThis. I downloaded Killbox and copied the 3 files you listed and rebooted.Everything went fine.Everything seems to be running a lot better now. Should I leave all the items we have downloaded to the desktop there such as stinger,spybot,killbox,etc? I have satellite internet so it's not the fastest but is a lot faster than dial up.Webpages seem to take a little long in loading but I ran disk cleanup and defrag last night so that may have something to do went that. On start up it seems to take awhile for everything to load (3 to 5 minutes) and I was curious as to what all is on autorun at startup. I read a post on autorun and downloaded it but,good lord,I don't have a clue at what I was looking at.Here is a new combofix log. All your help has been and is greatly appreciated!!

ComboFix 07-09-21.2 - "JERRY" 2007-09-25 18:44:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT -5:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-25 to 2007-09-25 )))))))))))))))))))))))))))))))
.

2007-09-25 18:13 <DIR> d-------- C:\!KillBox
2007-09-22 23:09 <DIR> d-------- C:\Program Files\Bonjour
2007-09-22 23:07 <DIR> d-------- C:\Program Files\QuickTime
2007-09-22 23:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-09-22 23:06 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2007-09-22 23:06 307,200 --a------ C:\WINDOWS\system32\KPDPM.dll
2007-09-22 23:06 229,376 --a------ C:\WINDOWS\system32\KPDPMUI.dll
2007-09-22 23:06 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2007-09-22 23:04 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-09-22 23:04 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-09-22 23:04 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-22 23:04 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-22 23:04 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-09-22 23:03 <DIR> d-------- C:\WINDOWS\system32\color
2007-09-22 23:03 <DIR> d-------- C:\KPCMS
2007-09-22 23:01 <DIR> d-------- C:\Program Files\Kodak
2007-09-22 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-09-22 22:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-09 15:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-06 22:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-06 22:22 860,192 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-06 22:22 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-06 22:22 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-06 22:22 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-06 22:22 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-06 22:20 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-04 23:02 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-09-04 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-09-04 22:58 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-09-04 22:58 51,256 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-09-04 22:58 37,304 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-09-04 22:58 30,648 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-09-04 22:58 261 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-09-04 22:58 235,080 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-09-04 22:58 191,672 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-09-04 22:57 71,736 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-09-04 22:57 22,072 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-09-04 22:57 132,920 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-09-04 22:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Backup
2007-09-04 22:56 <DIR> d-------- C:\Program Files\Panda Security
2007-09-04 22:53 38,968 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-09-04 22:53 178,872 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-09-04 22:46 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-09-04 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-29 20:33 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-25 18:20 1224 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-09-25 18:20 1224 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-09-25 18:19 235080 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-09-25 18:16 10940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-22 23:57 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-22 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 18:28 --------- d-------- C:\DOCUME~1\JERRY\APPLIC~1\RegSweep
2007-08-23 22:29 --------- d-------- C:\DOCUME~1\JERRY\APPLIC~1\AdwareAlert
2007-08-22 21:29 61440 --a------ C:\WINDOWS\system32\drivers\CDAVFS.sys
2007-07-31 02:25 142696 --a------ C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-19 01:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 18:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-12 08:42 292144 --a------ C:\WINDOWS\system32\PavSHook.dll
2007-07-10 16:02 37027 --a------ C:\WINDOWS\atmoUn.exe
2007-06-27 09:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 09:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 09:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 09:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 09:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 09:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 09:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 09:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 09:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 09:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 03:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 02:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-22_224728.01 )))))))))))))))))))))))))))))))))))))))))
.
----a-r 22,486 2007-09-23 04:08:41 C:\WINDOWS\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\ARPPRODUCTICON.exe
----a-r 22,486 2007-09-23 04:08:41 C:\WINDOWS\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\PictureViewer_ico.exe
----a-r 22,486 2007-09-23 04:08:41 C:\WINDOWS\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\QuickTimePlayer_ico.exe
----a-r 22,486 2007-09-23 04:08:41 C:\WINDOWS\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\QuickTimeUninstaller_ico.exe
----a-r 65,536 2007-09-23 04:02:13 C:\WINDOWS\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\EasyShareDesktopShortcut.exe
----a-r 180,224 2007-09-23 04:02:13 C:\WINDOWS\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\EasyShareStartMenu.exe
----a-r 180,224 2007-09-23 04:02:13 C:\WINDOWS\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\EasyShareStartupShortcut.exe
----a-r 25,214 2007-09-23 04:06:09 C:\WINDOWS\Installer\{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}\Endissrv.exe
----a-r 10,342 2007-09-23 04:12:02 C:\WINDOWS\Installer\{E0A96F36-D546-4A2A-BDAA-2A2A578B2C0D}\ARPPRODUCTICON.exe
----a-r 45,056 2007-09-23 04:06:20 C:\WINDOWS\Installer\{FCDB1C92-03C6-4C76-8625-371224256091}\PdockShortcut4.exe
----a-r 135,168 2007-09-23 04:06:20 C:\WINDOWS\Installer\{FCDB1C92-03C6-4C76-8625-371224256091}\PdockShortcut5.exe
----a-w 61,440 2005-11-28 17:10:30 C:\WINDOWS\system32\dns-sd.exe
----a-w 53,248 2005-11-28 17:10:18 C:\WINDOWS\system32\dnssd.dll
----a-w 53,248 2005-11-28 17:10:28 C:\WINDOWS\system32\jdns_sd.dll
----a-w 19,456 2000-04-14 19:23:52 C:\WINDOWS\system32\kcm2sp.dll
----a-w 73,839 2000-09-08 22:53:50 C:\WINDOWS\system32\KodakOneTouch.dll
----a-w 197,632 2000-04-14 19:23:56 C:\WINDOWS\system32\kpcp32.dll
----a-w 37,376 2000-04-14 19:23:56 C:\WINDOWS\system32\kpsys32.dll
----a-w 63,016 2007-09-23 04:22:32 C:\WINDOWS\system32\perfc009.dat
----a-w 402,406 2007-09-23 04:22:32 C:\WINDOWS\system32\perfh009.dat
----a-w 86,016 2001-07-18 21:25:46 C:\WINDOWS\system32\PrintAPI.dll
----a-w 151,552 2006-02-06 15:38:22 C:\WINDOWS\system32\pxwma.dll
----a-w 133,120 2000-04-14 19:24:56 C:\WINDOWS\system32\sprof32.dll
----a-w 688,920 2006-03-29 20:54:06 C:\WINDOWS\system32\color\Pcdoidx.dat
.
----a-w 63,016 2007-09-23 03:30:29 C:\WINDOWS\system32\perfc009.dat
----a-w 402,406 2007-09-23 03:30:29 C:\WINDOWS\system32\perfh009.dat
------w 158,456 2006-09-14 22:13:44 C:\WINDOWS\system32\pxwma.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-07 11:39]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 12:06]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [2007-07-23 18:30]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 15:17]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-22 23:08]
"RegSweep"="C:\Program Files\RegSweep\RegSweep.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdas1a2.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-07 11:33:24]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S2 AdwareAlertSrv;AdwareAlert Scanning Engine;"C:\Program Files\AdwareAlert\AdwareAlertSrv.srv.exe"
S3 UWProSys;Process monitor.;\??\C:\Program Files\CyberDefender\AntiSpyware\uwprosys.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 01:52:44 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-09-25 23:16:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-09-25 02:51:13 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe
"2007-09-05 01:52:46 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-25 18:51:21
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-25 18:54:32
C:\ComboFix-quarantined-files.txt ... 2007-09-25 18:54
C:\ComboFix2.txt ... 2007-09-22 22:49
.
--- E O F ---

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 26 September 2007 - 03:18 PM

I think we've removed all of the malware now- great job! :thumbsup:
You can safely remove all of the programs I had you download; on a computer with no infections running them will have very little effect.

You might like to limit the programs that are loading when your computer starts; you might have unnecessary software loading when you boot your computer which is eating away at your CPU and ultimately slowing down your computer.
Many programs install a quick launch feature which is not needed; if you want to use the program you can start it up manually. The easiest way to see whether a program is needed at startup, you can use bleeping computer's own list, which gives an indication of whether the program is required/optional etc. Note that essential processes such as those for your anti-virus or your modem must be kept.
So, firstly click on Start | Run and type msconfig. Then hit enter.
Click on the 'startup' tab and a list of programs will appear.
You can compare the startup name with those on the startup list. The link is below:
www.bleepingcomputer.com/startups
To stop a program loading at boot, just remove the tick.
Click 'OK', and choose to restart.

Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 jmay

jmay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 26 September 2007 - 10:14 PM

All your help is greatly appreciated :thumbsup:

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 27 September 2007 - 01:41 AM

You're very welcome.
Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users