Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected...task Manager Will Not Display


  • Please log in to reply
20 replies to this topic

#1 jvant

jvant

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 12 September 2007 - 01:26 PM

Hi.
I can't believe this is happening again. Snowhite helped me earlier fix a similar problem that has come back. I can't believe it... My task manager dose not display anymore, anytime I try to use it or system preferences it comes up with a windows box which says I have some sort of spyware and I should download something... and periodically the same pop up comes on my computer about every 15 minutes. If anyone can help it would be greaty appreciated.
hear is my hijack this.

Thank you again,
Jvant










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21, on 2007-09-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio Conectiv Installer (MAudioConectivService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4714 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 13 September 2007 - 06:42 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jvant :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 jvant

jvant
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 13 September 2007 - 04:17 PM

O.K.
I downloaded the java like you said, However I cannot access my control panel. when I click on it it says:
this operation has been cancelled due to restrictions in effect on this computer. please contact your sytem administrator.

So I could not do those steps. but I did do the combofix. hear are the files.

Thanks again.
jvant






"Jeff Van Zandt" - 2007-09-13 17:08:42 - ComboFix 07-07-10.1 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))


2007-09-12 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 13:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-12 13:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-12 13:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-12 13:41 528 --a------ C:\CFCleanUp.bat
2007-09-12 12:41 92,824 --a------ C:\WINDOWS\Vida Guerra Bikini and Lingerie Screensaver Uninstaller.exe
2007-09-11 11:20 7,680 --a------ C:\WINDOWS\system32\winavxx.exe
2007-09-11 11:20 7,680 --a------ C:\WINDOWS\system32\printer.exe
2007-09-11 11:20 39,424 --a------ C:\WINDOWS\system32\vtr.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-13 20:43:12 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-09-12 17:25:56 2,314 ----a-w C:\WINDOWS\system32\tmp.reg
2007-09-11 16:24:33 -------- d-----w C:\Program Files\Dl_cats
2007-09-11 16:23:40 56 --sh--r C:\WINDOWS\system32\59BCD1A970.sys
2007-09-11 16:23:40 5,434 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-26 06:08:16 1,104,896 ----a-w C:\WINDOWS\system32\msxml3.dll
2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\explorer.exe
2007-03-26 16:46:12 88 --sh--r C:\WINDOWS\system32\70A9D1BC59.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 15:35 C:\WINDOWS\stsystra.exe]
"ShowLOMControl"="1 (0x1)" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 12:56]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-05-17 21:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 11:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-09-11 11:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)


Contents of the 'Scheduled Tasks' folder
2007-03-03 18:51:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 17:11:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\cf_dummy]


Completion time: 2007-09-13 17:11:43
C:\ComboFix-quarantined-files.txt ... 2007-09-13 17:11
C:\ComboFix2.txt ... 2007-09-12 13:44
C:\ComboFix3.txt ... 2007-09-12 13:27

--- E O F ---















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:45 PM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio Conectiv Installer (MAudioConectivService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4788 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 14 September 2007 - 03:50 AM

You have vtr.dll present on your pc which is a Backdoor Trojan
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then let me know what you want to do in your next reply.

Edited by RichieUK, 18 September 2007 - 03:59 AM.

Posted Image
Posted Image

#5 jvant

jvant
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 17 September 2007 - 09:01 PM

Oh my! that sounds horrible!!

I'm not sure what I should do? what should I deleate or remove? If it can be fixed, let me know.

Thanks a million, this may have been bad if I had not caught it earlier (it still may be bad)

Jvant

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 18 September 2007 - 04:06 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\winavxx.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\vtr.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAVX"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 jvant

jvant
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 19 September 2007 - 01:14 AM

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\system32\winavxx.exe


((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))


2007-09-12 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 13:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-12 13:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-12 13:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-12 12:41 92,824 --a------ C:\WINDOWS\Vida Guerra Bikini and Lingerie Screensaver Uninstaller.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-19 03:00:21 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-09-19 01:01:06 56 --sh--r C:\WINDOWS\system32\59BCD1A970.sys
2007-09-19 01:01:06 5,538 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-12 17:25:56 2,314 ----a-w C:\WINDOWS\system32\tmp.reg
2007-09-11 16:24:33 -------- d-----w C:\Program Files\Dl_cats
2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-26 06:08:16 1,104,896 ----a-w C:\WINDOWS\system32\msxml3.dll
2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-26 16:46:12 88 --sh--r C:\WINDOWS\system32\70A9D1BC59.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 15:35 C:\WINDOWS\stsystra.exe]
"ShowLOMControl"="1 (0x1)" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 12:56]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-05-17 21:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 11:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)


Contents of the 'Scheduled Tasks' folder
2007-03-03 18:51:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 02:10:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-19 2:11:29
C:\ComboFix-quarantined-files.txt ... 2007-09-19 02:11
C:\ComboFix2.txt ... 2007-09-13 17:11
C:\ComboFix3.txt ... 2007-09-12 13:44

--- E O F ---

#8 jvant

jvant
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 19 September 2007 - 01:15 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:01 AM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio Conectiv Installer (MAudioConectivService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4569 bytes

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 19 September 2007 - 06:03 AM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

Exit Hijackthis.

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

1.) Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

2.) Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#10 jvant

jvant
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 20 September 2007 - 12:22 AM

-------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:14:18 AM 9/20/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\jckuvuqg.dll.ren.vir -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP113\A0023308.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\cbxvwuv.dll.ren.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0020744.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\msdn_lib.dll.vir -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0020748.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\wmvds32.dll.vir -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0020747.dll -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Documents and Settings\Jeff Van Zandt\anti.exe.vir -> Downloader.VB.axs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP112\A0023239.exe -> Downloader.VB.axs : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeff Van Zandt\Desktop\SDFix\backups\backups.zip/backups/xloadnet.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP102\A0020468.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP102\A0020480.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Vida Guerra Bikini and Lingerie.scr -> Dropper.Agent.aoj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\systems.txt -> Not-A-Virus.Hoax.Win32.Renos.jh : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.115:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.116:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.60:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.61:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.62:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.281:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.94:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.95:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.96:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.97:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.98:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.114:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.351:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.354:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.355:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.31:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.59:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.70:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.64:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.65:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.66:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.67:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.68:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.69:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.286:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.287:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.267:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.268:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.349:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.275:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.191:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.137:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.185:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.336:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.337:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.141:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.142:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.214:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.215:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.190:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.192:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.193:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.194:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.195:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.392:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.393:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.394:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.395:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.396:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.397:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.122:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@counter3.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.129:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.132:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.108:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.109:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.110:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.111:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.112:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.113:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.117:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.63:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.36:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.38:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.40:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.41:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.49:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.50:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.51:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.52:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.53:C:\Documents and Settings\Jeff Van Zandt\Application Data\Mozilla\Firefox\Profiles\9dobxit5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Deckard\System Scanner\main.txt -> Trojan.Disabler.c : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msorcl32.exe -> Trojan.Renos.nbf : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\sysrlb32.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP112\A0023238.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end
























Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio Conectiv Installer (MAudioConectivService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5157 bytes
















O.k. upon restart my computer seems ok. I'm not positive though. A pop up for my anti-virus software came up and said that printer.exe is trying to change my network settings. I still cannot get into my control panel and the same spyware pop up is comming up every few minutes.

Thanks again,
jvant

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 20 September 2007 - 06:14 AM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware,don't run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete if present:
C:\WINDOWS\system32\printer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\system.exe

Still in Safe Mode,have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Exit Hijackthis.

Still in Safe Mode start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#12 jvant

jvant
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 21 September 2007 - 06:58 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/21/2007 at 07:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3310
Trace Rules Database Version: 1314

Scan type : Complete Scan
Total Scan Time : 00:49:04

Memory items scanned : 170
Memory threats detected : 0
Registry items scanned : 4368
Registry threats detected : 0
File items scanned : 26890
File threats detected : 25

Adware.Tracking Cookie
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@advertising[2].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@atdmt[2].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@adrevolver[1].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@statse.webtrendslive[2].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@mediaplex[1].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@realmedia[1].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@sextracker[1].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@cgi-bin[2].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@ads.us.e-planning[1].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@zedo[2].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@counter3.sextracker[1].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@adrevolver[2].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@bluestreak[1].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@media.adrevolver[2].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@tribalfusion[1].txt
C:\Documents and Settings\Jeff Van Zandt\Cookies\jeff van zandt@youporn[1].txt

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\HWFUTCZK.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\OS1ZN2MO7Z.EXE.VIR

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Trojan.Downloader-Gen/HardFall
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JKHHF.DLL.REN.VIR

Trojan.Downloader-Gen/NoMultiTask
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VTR.DLL.VIR

Trojan.Downloader-Gen/LIB
C:\VUNDOFIX BACKUPS\HIRDVMSV.DLL.BAD

Trojan.Net-AVP/AVT
C:\WINDOWS\SYSTEM32\PRINTER.EXE
C:\WINDOWS\SYSTEM32\WINAVXX.EXE
C:\WINDOWS\Prefetch\WINAVXX.EXE-1A70062A.pf

#13 jvant

jvant
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 21 September 2007 - 06:59 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:27 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio Conectiv Installer (MAudioConectivService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4850 bytes
















I was'nt sure how to delete the first list of files you said, so I'm not sure if I got them or not.

Thanks again

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 22 September 2007 - 03:14 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#15 jvant

jvant
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 26 September 2007 - 11:29 AM

((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))


2007-09-26 12:23 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-21 18:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-21 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-21 18:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-21 18:29 <DIR> d-------- C:\DOCUME~1\JEFFVA~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 23:46 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-12 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 13:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-12 13:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-12 13:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe



(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-25 13:11:19 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-09-25 00:21:16 56 --sh--r C:\WINDOWS\system32\59BCD1A970.sys
2007-09-25 00:21:16 5,434 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-12 17:25:56 2,314 ----a-w C:\WINDOWS\system32\tmp.reg
2007-09-11 16:24:33 -------- d-----w C:\Program Files\Dl_cats
2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-26 06:08:16 1,104,896 ----a-w C:\WINDOWS\system32\msxml3.dll
2007-03-26 16:46:12 88 --sh--r C:\WINDOWS\system32\70A9D1BC59.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 15:35 C:\WINDOWS\stsystra.exe]
"ShowLOMControl"="1 (0x1)" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 12:56]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-05-17 21:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 11:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-03-03 18:51:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 12:26:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\poof]


Completion time: 2007-09-26 12:27:06




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users