Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search-daily Problem


  • Please log in to reply
17 replies to this topic

#1 attemi

attemi

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 12 September 2007 - 04:40 PM

Link to my misplaced topic:
http://www.bleepingcomputer.com/forums/t/108012/search-daily-removalwinlogon-notify/

I followed all of the steps except my browser would not open the link to bitdefender. I ran all of the other scanners in normal mode.

And the new hjt file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:05 PM, on 9/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {3C1BE9DE-6FC5-4D9C-917C-FBA2EBCC875B} - c:\winnt\system32\xbcbyiua.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8F5BD038-F9AB-4232-9F10-AE0FBAC5C2E6} - c:\winnt\system32\pgklpgk.dll
O2 - BHO: (no name) - {FAA1BC53-FE27-4104-AB36-EA4B52E72F84} - c:\winnt\system32\nqjsgmve.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: pldsgfkh - C:\WINNT\SYSTEM32\pgklpgk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 3472 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 12 September 2007 - 06:15 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum attemi :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 13 September 2007 - 09:15 AM

combofix file

ComboFix 07-09-13.3 - "Chris" 2007-09-13 9:38:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.686 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\144.exe
C:\WINNT\system32\driver
C:\WINNT\System32\drivers\rbcfkpmw.sys
C:\WINNT\system32\pgklpgk.dll
C:\WINNT\system32\pgklpgk.dll.bak
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IMJLZHVV
-------\LEGACY_WCAJRTML
-------\imjlzhvv
-------\wcajrtml


((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-13 09:37 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-12 17:11 75,932 --a------ C:\WINNT\SYSTEM32\DRIVERS\klick.dat
2007-09-12 17:11 75,248 --a------ C:\WINNT\zllsputility.exe
2007-09-12 17:11 74,396 --a------ C:\WINNT\SYSTEM32\DRIVERS\klin.dat
2007-09-12 17:11 12,320 --ahs---- C:\WINNT\SYSTEM32\DRIVERS\fidbox.dat
2007-09-12 17:11 11,264 --a------ C:\WINNT\SYSTEM32\SpOrder.dll
2007-09-12 17:11 1,824 --ahs---- C:\WINNT\SYSTEM32\DRIVERS\fidbox2.dat
2007-09-12 17:11 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-12 16:26 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-09-12 14:51 <DIR> d-------- C:\WINNT\SYSTEM32\ActiveScan
2007-09-12 13:20 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-11 19:56 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-11 19:45 <DIR> d----c--- C:\Program Files\kill2me
2007-09-11 19:19 <DIR> d----c--- C:\Program Files\STOPzilla!
2007-09-11 19:19 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-09-11 19:19 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-09-11 07:30 1,152 --a------ C:\WINNT\SYSTEM32\windrv.sys
2007-09-11 07:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-09-09 22:32 10,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-09 22:08 <DIR> d----c--- C:\!KillBox
2007-09-09 21:18 <DIR> d----c--- C:\Program Files\Eusing Free Registry Cleaner
2007-09-07 14:03 9,600 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\hidusb.sys
2007-09-07 14:03 9,600 --a------ C:\WINNT\SYSTEM32\DRIVERS\hidusb.sys
2007-09-07 14:03 19,456 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\hidserv.dll
2007-09-07 14:03 19,456 --a------ C:\WINNT\SYSTEM32\hidserv.dll
2007-09-07 14:03 12,160 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\mouhid.sys
2007-09-07 14:03 12,160 --a------ C:\WINNT\SYSTEM32\DRIVERS\mouhid.sys
2007-09-07 13:55 50,944 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\i8042prt.sys
2007-09-07 13:55 50,944 --a------ C:\WINNT\SYSTEM32\DRIVERS\i8042prt.sys
2007-09-07 13:55 22,016 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\mouclass.sys
2007-09-07 13:55 22,016 --a------ C:\WINNT\SYSTEM32\DRIVERS\mouclass.sys
2007-09-07 13:55 <DIR> d----c--- C:\Program Files\Microsoft IntelliPoint
2007-09-04 18:38 103,239 --a------ C:\WINNT\SYSTEM32\xbcbyiua.dll
2007-08-17 01:31 48,128 --a------ C:\WINNT\SYSTEM32\gonwrqok.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 19:04 67584 --a------ C:\WINNT\SYSTEM32\nqjsgmve.dll
2007-09-12 19:03 756736 --a------ C:\WINNT\SYSTEM32\vhubppgf.dll
2007-09-12 19:03 46592 --a------ C:\WINNT\SYSTEM32\lbsyswul.dll
2007-09-12 19:03 123392 --a------ C:\WINNT\SYSTEM32\pkmlrbqd.dll
2007-09-12 19:03 103424 --a------ C:\WINNT\SYSTEM32\njejzlht.dll
2007-09-12 17:14 1220 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
2007-09-12 17:14 1220 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2007-09-12 13:20 --------- d-------- C:\Program Files\Lavasoft
2007-09-12 13:19 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-10 08:31 --------- d----c--- C:\Program Files\Trend Micro
2007-09-04 17:11 --------- d----c--- C:\Program Files\GameSpy Arcade
2007-08-07 13:58 8320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-08-02 11:22 --------- d----c--- C:\Program Files\World of Warcraft
2007-07-25 08:32 --------- d----c--- C:\DOCUME~1\Chris\APPLIC~1\Ventrilo
2007-07-25 08:19 --------- d----c--- C:\Program Files\VentSrv
2007-07-25 08:19 --------- d----c--- C:\Program Files\Ventrilo
2007-07-07 19:21 684567 --a------ C:\WINNT\SYSTEM32\libeay32.dll
2007-07-07 19:21 147729 --a------ C:\WINNT\SYSTEM32\libssl32.dll
2007-06-21 21:54 1086952 --a------ C:\WINNT\SYSTEM32\zpeng24.dll
2003-05-10 23:16 707 --a--c--- C:\Program Files\INSTALL.LOG
2001-06-25 18:46 271 ---hsc--- C:\Program Files\DESKTOP.INI
2001-06-25 18:46 21952 --ah-c--- C:\Program Files\FOLDER.HTT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C1BE9DE-6FC5-4D9C-917C-FBA2EBCC875B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F5BD038-F9AB-4232-9F10-AE0FBAC5C2E6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAA1BC53-FE27-4104-AB36-EA4B52E72F84}]
2007-09-12 19:04 67584 --a------ c:\winnt\system32\nqjsgmve.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 21:09]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2004-10-29 11:50]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
C:\WINNT\System32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

R1 bpfinder;BACKPACK Finder;C:\WINNT\System32\DRIVERS\bpfinder.sys
R1 ClntMgmt.sys;ClntMgmt;C:\WINNT\System32\Drivers\ClntMgmt.sys
R3 bpflt;BACKPACK Filter;C:\WINNT\System32\DRIVERS\bpflt.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINNT\System32\DRIVERS\point32.sys
S0 NVDual;NVDual;C:\WINNT\System32\DRIVERS\nvDual.sys
S0 szkg;szkg;C:\WINNT\System32\DRIVERS\szkg.sys
S2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe
S3 bppccard;BACKPACK PC Card;C:\WINNT\System32\DRIVERS\bppccard.sys
S3 bppnpdrv;BACKPACK Driver;C:\WINNT\System32\DRIVERS\bppnpdrv.sys
S3 bpusbdrv;BACKPACK USB 1 Cable;C:\WINNT\System32\DRIVERS\bpusbdrv.sys
S3 bpusbflt;BACKPACK USB Filter;C:\WINNT\System32\DRIVERS\bpusbflt.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINNT\System32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINNT\System32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINNT\System32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINNT\System32\drivers\hphius09.sys
S3 FBIKB_NT;FBIKB_NT;\??\C:\WINNT\System32\Drivers\FBIKB_NT.Sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\System32\DRIVERS\usbprint.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 07:30:00 C:\WINNT\Tasks\RegistrySmart Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 10:00:34
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-13 10:02:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 10:01
.
--- E O F ---

#4 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 13 September 2007 - 09:17 AM

hjt file

Scan saved at 10:05:55 AM, on 9/13/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FAA1BC53-FE27-4104-AB36-EA4B52E72F84} - c:\winnt\system32\nqjsgmve.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 3143 bytes

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 13 September 2007 - 09:29 AM

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINNT\SYSTEM32\xbcbyiua.dll
C:\WINNT\SYSTEM32\gonwrqok.dll
C:\WINNT\SYSTEM32\nqjsgmve.dll
C:\WINNT\SYSTEM32\vhubppgf.dll
C:\WINNT\SYSTEM32\lbsyswul.dll
C:\WINNT\SYSTEM32\pkmlrbqd.dll
C:\WINNT\SYSTEM32\njejzlht.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C1BE9DE-6FC5-4D9C-917C-FBA2EBCC875B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F5BD038-F9AB-4232-9F10-AE0FBAC5C2E6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAA1BC53-FE27-4104-AB36-EA4B52E72F84}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#6 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 13 September 2007 - 09:42 AM

Tried a couple brief google searches that previously were hijacked and I was not redirected. I will wait on your interpretation of the logs, though, before I discontinue my fix. On an aside, I already had AVG installed as it was the first thing I tried. I had previous success with ewido, but this time it didn't do the trick right away. Thank you for your help. Any suggestions on how to avoid problems in the future also welcome.

#7 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 13 September 2007 - 09:43 AM

Oops, I was posting while you were posting. I'll do that right away.

#8 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 13 September 2007 - 10:14 AM

Combofix log file:

ComboFix 07-09-13.3 - "Chris" 2007-09-13 10:53:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.732 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Chris\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINNT\SYSTEM32\xbcbyiua.dll
C:\WINNT\SYSTEM32\gonwrqok.dll
C:\WINNT\SYSTEM32\nqjsgmve.dll
C:\WINNT\SYSTEM32\vhubppgf.dll
C:\WINNT\SYSTEM32\lbsyswul.dll
C:\WINNT\SYSTEM32\pkmlrbqd.dll
C:\WINNT\SYSTEM32\njejzlht.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\SYSTEM32\gonwrqok.dll
C:\WINNT\SYSTEM32\lbsyswul.dll
C:\WINNT\SYSTEM32\njejzlht.dll
C:\WINNT\SYSTEM32\nqjsgmve.dll
C:\WINNT\SYSTEM32\pkmlrbqd.dll
C:\WINNT\SYSTEM32\vhubppgf.dll
C:\WINNT\SYSTEM32\xbcbyiua.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-13 09:37 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-12 17:11 75,932 --a------ C:\WINNT\SYSTEM32\DRIVERS\klick.dat
2007-09-12 17:11 75,248 --a------ C:\WINNT\zllsputility.exe
2007-09-12 17:11 74,396 --a------ C:\WINNT\SYSTEM32\DRIVERS\klin.dat
2007-09-12 17:11 12,320 --ahs---- C:\WINNT\SYSTEM32\DRIVERS\fidbox.dat
2007-09-12 17:11 11,264 --a------ C:\WINNT\SYSTEM32\SpOrder.dll
2007-09-12 17:11 1,824 --ahs---- C:\WINNT\SYSTEM32\DRIVERS\fidbox2.dat
2007-09-12 17:11 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-12 16:26 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-09-12 14:51 <DIR> d-------- C:\WINNT\SYSTEM32\ActiveScan
2007-09-12 13:20 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-11 19:56 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-11 19:45 <DIR> d----c--- C:\Program Files\kill2me
2007-09-11 19:19 <DIR> d----c--- C:\Program Files\STOPzilla!
2007-09-11 19:19 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-09-11 19:19 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-09-11 07:30 1,152 --a------ C:\WINNT\SYSTEM32\windrv.sys
2007-09-11 07:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-09-09 22:32 10,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-09 22:08 <DIR> d----c--- C:\!KillBox
2007-09-09 21:18 <DIR> d----c--- C:\Program Files\Eusing Free Registry Cleaner
2007-09-07 14:03 9,600 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\hidusb.sys
2007-09-07 14:03 9,600 --a------ C:\WINNT\SYSTEM32\DRIVERS\hidusb.sys
2007-09-07 14:03 19,456 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\hidserv.dll
2007-09-07 14:03 19,456 --a------ C:\WINNT\SYSTEM32\hidserv.dll
2007-09-07 14:03 12,160 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\mouhid.sys
2007-09-07 14:03 12,160 --a------ C:\WINNT\SYSTEM32\DRIVERS\mouhid.sys
2007-09-07 13:55 50,944 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\i8042prt.sys
2007-09-07 13:55 50,944 --a------ C:\WINNT\SYSTEM32\DRIVERS\i8042prt.sys
2007-09-07 13:55 22,016 --a--c--- C:\WINNT\SYSTEM32\DLLCACHE\mouclass.sys
2007-09-07 13:55 22,016 --a------ C:\WINNT\SYSTEM32\DRIVERS\mouclass.sys
2007-09-07 13:55 <DIR> d----c--- C:\Program Files\Microsoft IntelliPoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 17:14 1220 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
2007-09-12 17:14 1220 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2007-09-12 13:20 --------- d-------- C:\Program Files\Lavasoft
2007-09-12 13:19 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-10 08:31 --------- d----c--- C:\Program Files\Trend Micro
2007-09-04 17:11 --------- d----c--- C:\Program Files\GameSpy Arcade
2007-08-07 13:58 8320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-08-02 11:22 --------- d----c--- C:\Program Files\World of Warcraft
2007-07-25 08:32 --------- d----c--- C:\DOCUME~1\Chris\APPLIC~1\Ventrilo
2007-07-25 08:19 --------- d----c--- C:\Program Files\VentSrv
2007-07-25 08:19 --------- d----c--- C:\Program Files\Ventrilo
2007-07-07 19:21 684567 --a------ C:\WINNT\SYSTEM32\libeay32.dll
2007-07-07 19:21 147729 --a------ C:\WINNT\SYSTEM32\libssl32.dll
2007-06-21 21:54 1086952 --a------ C:\WINNT\SYSTEM32\zpeng24.dll
2003-05-10 23:16 707 --a--c--- C:\Program Files\INSTALL.LOG
2001-06-25 18:46 271 ---hsc--- C:\Program Files\DESKTOP.INI
2001-06-25 18:46 21952 --ah-c--- C:\Program Files\FOLDER.HTT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 21:09]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2004-10-29 11:50]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
C:\WINNT\System32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SNM"=C:\Program Files\SpyNoMore\SNM.exe /startup

R1 bpfinder;BACKPACK Finder;C:\WINNT\System32\DRIVERS\bpfinder.sys
R1 ClntMgmt.sys;ClntMgmt;C:\WINNT\System32\Drivers\ClntMgmt.sys
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe
R3 bpflt;BACKPACK Filter;C:\WINNT\System32\DRIVERS\bpflt.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\System32\drivers\NMSCFG.SYS
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINNT\System32\DRIVERS\point32.sys
S0 NVDual;NVDual;C:\WINNT\System32\DRIVERS\nvDual.sys
S0 szkg;szkg;C:\WINNT\System32\DRIVERS\szkg.sys
S3 bppccard;BACKPACK PC Card;C:\WINNT\System32\DRIVERS\bppccard.sys
S3 bppnpdrv;BACKPACK Driver;C:\WINNT\System32\DRIVERS\bppnpdrv.sys
S3 bpusbdrv;BACKPACK USB 1 Cable;C:\WINNT\System32\DRIVERS\bpusbdrv.sys
S3 bpusbflt;BACKPACK USB Filter;C:\WINNT\System32\DRIVERS\bpusbflt.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINNT\System32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINNT\System32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINNT\System32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINNT\System32\drivers\hphius09.sys
S3 FBIKB_NT;FBIKB_NT;\??\C:\WINNT\System32\Drivers\FBIKB_NT.Sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\System32\DRIVERS\usbprint.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 07:30:00 C:\WINNT\Tasks\RegistrySmart Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 10:57:58
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-13 10:59:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 10:59
C:\ComboFix2.txt ... 2007-09-13 10:02
.
--- E O F ---

And HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:59 AM, on 9/13/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 2521 bytes

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 13 September 2007 - 10:41 AM

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:

Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#10 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 13 September 2007 - 06:37 PM

SUPERANTISPYWARE LOG:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/13/2007 at 06:38 PM

Application Version : 3.9.1008

Core Rules Database Version : 3305
Trace Rules Database Version: 1311

Scan type : Complete Scan
Total Scan Time : 00:29:40

Memory items scanned : 300
Memory threats detected : 0
Registry items scanned : 4786
Registry threats detected : 0
File items scanned : 28736
File threats detected : 1

Adware.eXactAdvertising-Installer
C:\WINNT\RUNOS.EXE

HJT FILE:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:15 PM, on 9/13/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 2805 bytes

Working pretty good at the moment, but I'll post some questionable stuff I have in my allowed start up section of Spybot Search and Destroy. Thanks again.

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 14 September 2007 - 04:06 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Download\install one of the following freeware antivirus programs from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

Restart your pc.
Post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#12 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 14 September 2007 - 09:20 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:43 AM, on 9/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 2671 bytes

It's running much better. Occasionally, I lose connectivity to the internet, a problem I encountered with zonealarm previously, which is why I uninstalled it some time ago. Also zonealarm keeps notifying me that it's blocking with this msg:

Description Packet sent from 192.168.2.1 (DNS) to 192.168.2.85 (UDP Port 3132) was blocked
Rating Medium
Date / Time 2007/09/14 09:42:20-4:00 GMT
Type Firewall
Protocol UDP
Program
Source IP 192.168.2.1:53
Destination IP 192.168.2.85:3132
Direction Incoming
Action Taken Blocked
Count 1
Source DNS
Destination DNS SOLEIL-NY9L1NJK

#13 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 14 September 2007 - 09:39 AM

This is the list in Spybot of start up programs. I am concerned with the spynomore program and the many winlogon entries.
Spynomore is a program I tried before contacting you, and I think they actually install viruses on your computer rather than clean them. I have it disable at the moment, but I'd like to remove it completely if possible.

--- Startup entries list ---
Located: HK_LM:Run, IntelliPoint
command: "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
file: C:\Program Files\Microsoft IntelliPoint\ipoint.exe
size: 842584
MD5: 091BE9A85F5681632E3C035E4F559448

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919016
MD5: 7462B3864DA32E6B3D1EF0524E663A23

Located: HK_LM:Run, SNM (DISABLED)
command: C:\Program Files\SpyNoMore\SNM.exe /startup
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, tscuninstall
where: .DEFAULT...
command: %systemroot%\system32\tscupgrd.exe
file: C:\WINNT\system32\tscupgrd.exe
size: 40448
MD5: D42D3E980507A47CB61573A78D8C09A1

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-19...
command: %systemroot%\system32\tscupgrd.exe
file: C:\WINNT\system32\tscupgrd.exe
size: 40448
MD5: D42D3E980507A47CB61573A78D8C09A1

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-20...
command: %systemroot%\system32\tscupgrd.exe
file: C:\WINNT\system32\tscupgrd.exe
size: 40448
MD5: D42D3E980507A47CB61573A78D8C09A1

Located: HK_CU:Run, SUPERAntiSpyware
where: S-1-5-21-775046151-177413509-490556627-1003...
command: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
file: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
size: 1318912
MD5: 225E41F95D0F33148D264746087017D4

Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: S-1-5-21-775046151-177413509-490556627-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1460560
MD5: B7D4586BFC0DD6C3BE7DCCC252A3E97E

Located: HK_CU:RunOnce, tscuninstall
where: S-1-5-18...
command: %systemroot%\system32\tscupgrd.exe
file: C:\WINNT\system32\tscupgrd.exe
size: 40448
MD5: D42D3E980507A47CB61573A78D8C09A1

Located: WinLogon, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 14 September 2007 - 10:37 AM

Could you do the following,i've already asked you twice:
Download\install one of the following freeware antivirus programs from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

Post a fresh Hijackthis log when you've done.
Posted Image
Posted Image

#15 attemi

attemi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 14 September 2007 - 06:28 PM

I posted that I did have AVG installed, but I did not realize there were 2 different AVG programs, one for spyware which I had installed, and the other for virus, which you were asking me to dl. Sorry for the confusion, I couldn't figure out why you kept asking me to dl it, because I thought I had the program already. I'm scanning now, and will post the HJT when I get home tomorrow from work.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users