Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Problems


  • This topic is locked This topic is locked
21 replies to this topic

#1 fdrywall

fdrywall

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 13 September 2007 - 04:25 PM

Hello - My name is Debbie and I was referred to you by Dave Lipman. I am having a problem with my computer - first my computer crashed and it went to a blue screen and we could not reinstall the operating system so we thought by getting a new hard drive it would solve our problems but it has not. We keep getting popups and in the middle of typing it clicks out of the screen and you have to go back into it. All that we reinstalled on the new hard drive was the operating system, Picasa, itunes and our HP printer software. I have installed ad-aware and spybot and run it every day and I still come up with 40 to 50 infections a day. I would appreciate any help that you could give me on how to fix the problem. Not sure if it is a virus or malware. See below for the HijackThis log report.

Thank you again for any help or advice you can give me on how to fix my computer would be greatly appreciated.


Debbie Fischer


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:29 PM, on 9/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sv3963\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
F3 - REG:win.ini: load=C:\WINDOWS\sv3963\svchost.exe
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: oembios32.msdn_hlp - {04FA0716-63E1-4146-B250-E5222AE06E79} - C:\WINDOWS\System32\oembios32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hory] C:\Program Files\Online Services\hory22011.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ISMModule3] "C:\Program Files\ISM\ISMModule3.exe"
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\System32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5257 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 14 September 2007 - 06:44 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum fdrywall :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

First you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 fdrywall

fdrywall
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 15 September 2007 - 06:06 AM

Good Morning Richie

I read your post and thank you for replying.

You asked me to install a anti virus program and I already have one. I have ZoneAlarm Security Suite and I was told by
them that I could not have two anti-virus software running at the same time. When
I got to Zone Alarm it says that the anti virus is on and it was updated 14 Sep at
4pmand last scanned on 11 Sep07. I don't understand - did I set-up zone alarm
wrong?? I don't want to download another anti virus unless it is ok. What do you
think?
I also want to let you know and I don't know if make a difference but we have 3 other computers connected to this router
hopefully they are not infected.

Thanks
fdrywall

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 15 September 2007 - 07:48 AM

Ok then,carry on with the Combofix instructions please.
Posted Image
Posted Image

#5 fdrywall

fdrywall
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 15 September 2007 - 09:41 AM

Here is a copy of the ComboFix - I could not save it so I copied and pasted. Will Send Hijackthis log in a few minutes - I did not want to lose this information.



ComboFix 07-09-14.2 - "Debbie" 2007-09-15 10:37:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.313 [GMT -4:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-15 10:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 16:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-09-10 16:34 <DIR> d-------- C:\WINDOWS\system32\bits
2007-09-10 16:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-07 09:49 <DIR> d---s---- C:\DOCUME~1\Tony\UserData
2007-08-28 19:59 <DIR> d-------- C:\DOCUME~1\Debbie\APPLIC~1\Lavasoft
2007-08-28 19:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-28 19:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 19:47 76 --ah----- C:\aaw7boot.cmd
2007-08-27 17:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-27 16:22 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-08-27 16:22 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-08-27 16:22 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-08-27 16:22 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-08-27 16:22 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-08-27 16:22 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-08-27 04:30 <DIR> d-------- C:\WINDOWS\system32\tempsz11
2007-08-27 04:30 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-27 04:30 <DIR> d-------- C:\WINDOWS\system32\drvfig32
2007-08-27 04:30 <DIR> d-------- C:\WINDOWS\system32\dllz1
2007-08-27 02:28 <DIR> d-------- C:\WINDOWS\sv3963
2007-08-26 00:41 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-08-26 00:21 21,504 --a------ C:\WINDOWS\system32\oembios32.dll
2007-08-26 00:20 0 --a------ C:\WINDOWS\system32\nusrmgr.exe
2007-08-25 04:42 <DIR> d---s---- C:\DOCUME~1\Debbie\UserData
2007-08-22 16:45 <DIR> d-------- C:\Program Files\iTunes
2007-08-22 16:45 <DIR> d-------- C:\Program Files\iPod
2007-08-22 16:45 <DIR> d-------- C:\DOCUME~1\Debbie\APPLIC~1\Apple Computer
2007-08-22 16:44 <DIR> d-------- C:\Program Files\QuickTime
2007-08-22 16:44 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-22 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-22 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-22 16:40 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2007-08-22 16:21 <DIR> d-------- C:\DOCUME~1\Debbie\APPLIC~1\MailFrontier
2007-08-21 12:30 512 --a------ C:\ScanSectorLog.dat
2007-08-20 21:52 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-08-20 21:52 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-20 21:52 <DIR> d-------- C:\Program Files\Picasa2
2007-08-20 21:09 <DIR> d-------- C:\DOCUME~1\Tony\APPLIC~1\Leadertech
2007-08-20 20:48 <DIR> d-------- C:\DOCUME~1\Tony\APPLIC~1\Google
2007-08-20 20:44 <DIR> d-------- C:\Program Files\Google
2007-08-20 20:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-20 20:30 <DIR> d-------- C:\DOCUME~1\Tony\APPLIC~1\MailFrontier
2007-08-20 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-20 20:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-20 19:48 <DIR> d-------- C:\Program Files\Common Files\HP
2007-08-20 19:47 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-08-20 19:47 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-20 19:45 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-08-20 19:45 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-08-20 19:45 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-08-20 19:45 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-08-20 19:45 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-08-20 19:45 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-08-20 19:45 <DIR> d-------- C:\TEMP
2007-08-20 19:43 <DIR> d-------- C:\Program Files\HP
2007-08-20 19:42 69,374 --a------ C:\WINDOWS\hpoins05.dat
2007-08-20 19:42 19,696 --------- C:\WINDOWS\hpomdl05.dat
2007-08-19 18:52 <DIR> d-------- C:\Program Files\ActivIdentity
2007-08-19 18:51 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-19 14:11 <DIR> d-------- C:\WINDOWS\system32\Backup
2007-08-19 14:11 <DIR> d-------- C:\WINDOWS\SQLHotfix
2007-08-19 14:10 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-08-19 14:10 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-08-19 14:10 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-08-19 14:09 <DIR> d-------- C:\Program Files\Microsoft Visual Studio .NET 2003
2007-08-19 14:09 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-08-19 14:09 <DIR> d-------- C:\Program Files\Common Files\Crystal Decisions
2007-08-19 14:07 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-08-19 12:52 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-08-19 12:51 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-08-19 12:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-08-19 12:50 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-08-19 12:50 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-08-19 12:50 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-08-19 12:50 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2007-08-19 12:50 <DIR> d-------- C:\WUTemp
2007-08-19 12:47 <DIR> dr-h----- C:\MSOCache
2007-08-19 12:44 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-08-19 12:39 <DIR> d-------- C:\Program Files\Analog Devices
2007-08-19 12:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Citrix
2007-08-19 12:33 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2007-08-19 12:33 145,408 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2007-08-19 12:33 145,408 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2007-08-19 12:33 12,288 --a------ C:\WINDOWS\system32\e100bmsg.dll
2007-08-19 12:33 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2007-08-19 12:33 <DIR> d-------- C:\drvrtmp
2007-08-19 07:26 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-08-19 07:26 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-08-19 07:24 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 10:38 6829344 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-15 10:37 467488 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-15 10:33 92372 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-15 10:33 44852 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-20 20:15 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-20 20:15 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-19 12:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-19 11:50 --------- d-------- C:\Program Files\Intel
2007-08-19 11:43 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-19 11:37 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-06-21 21:54 75248 --a------ C:\WINDOWS\zllsputility.exe
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-15_101745.07 )))))))))))))))))))))))))))))))))))))))))
.
---h--w 4,212 2007-09-15 14:34:36 C:\WINDOWS\system32\zllictbl.dat
----a-w 224,956 2007-09-15 14:37:39 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
----atw 16,384 2007-09-15 14:34:44 C:\WINDOWS\Temp\Perflib_Perfdata_4a0.dat
.
---h--w 4,212 2007-09-15 14:05:00 C:\WINDOWS\system32\zllictbl.dat
----a-w 224,956 2007-09-15 14:05:01 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04FA0716-63E1-4146-B250-E5222AE06E79}]
2007-08-26 00:21 21504 --a------ C:\WINDOWS\System32\oembios32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07]
"accrdsub"="C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" [2006-11-10 12:28]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"hory"="C:\Program Files\Online Services\hory22011.exe" []
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISMModule3"="C:\Program Files\ISM\ISMModule3.exe" []
"ISMModule4"="C:\Program Files\ISM\ISMModule4.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 12:27:58]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
C:\WINDOWS\System32\ackpbsc.dll 2006-11-10 12:28 189952 C:\WINDOWS\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll 2006-11-10 12:28 261632 C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

R2 acachsrv;ActivClient Authentication Service;C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
R2 acautoup;ActivClient Auto-Update Service;C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
R2 accoca;ActivClient Middleware Service;C:\Program Files\ActivIdentity\ActivClient\accoca.exe
R3 GKUPRO2D;GKUPRO2D;C:\WINDOWS\System32\Drivers\GKUPRO2D.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
Contents of the 'Scheduled Tasks' folder
"2007-08-22 20:44:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 10:38:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-15 10:39:05
C:\ComboFix-quarantined-files.txt ... 2007-09-15 10:39
C:\ComboFix2.txt ... 2007-09-15 10:18
.
--- E O F ---

#6 fdrywall

fdrywall
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 15 September 2007 - 09:43 AM

Here is the hijackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:06 AM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: oembios32.msdn_hlp - {04FA0716-63E1-4146-B250-E5222AE06E79} - C:\WINDOWS\System32\oembios32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hory] C:\Program Files\Online Services\hory22011.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ISMModule3] "C:\Program Files\ISM\ISMModule3.exe"
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\System32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4877 bytes

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 15 September 2007 - 09:58 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\oembios32.dll

Folder::
C:\WINDOWS\system32\tempsz11
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\drvfig32
C:\WINDOWS\system32\dllz1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04FA0716-63E1-4146-B250-E5222AE06E79}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hory"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISMModule3"=-
"ISMModule4"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#8 fdrywall

fdrywall
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 15 September 2007 - 02:25 PM

Here is the combofix log - will send HijackThis next.

ComboFix 07-09-14.2 - "Debbie" 2007-09-15 15:18:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.223 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Debbie\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\oembios32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllz1
C:\WINDOWS\system32\drvfig32
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\tempsz11

.
((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-15 10:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 16:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-09-10 16:34 <DIR> d-------- C:\WINDOWS\system32\bits
2007-09-10 16:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-07 09:49 <DIR> d---s---- C:\DOCUME~1\Tony\UserData
2007-08-28 19:59 <DIR> d-------- C:\DOCUME~1\Debbie\APPLIC~1\Lavasoft
2007-08-28 19:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-28 19:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 19:47 76 --ah----- C:\aaw7boot.cmd
2007-08-27 17:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-27 16:22 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-08-27 16:22 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-08-27 16:22 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-08-27 16:22 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-08-27 16:22 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-08-27 16:22 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-08-27 02:28 <DIR> d-------- C:\WINDOWS\sv3963
2007-08-26 00:41 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-08-26 00:20 0 --a------ C:\WINDOWS\system32\nusrmgr.exe
2007-08-25 04:42 <DIR> d---s---- C:\DOCUME~1\Debbie\UserData
2007-08-22 16:45 <DIR> d-------- C:\Program Files\iTunes
2007-08-22 16:45 <DIR> d-------- C:\Program Files\iPod
2007-08-22 16:45 <DIR> d-------- C:\DOCUME~1\Debbie\APPLIC~1\Apple Computer
2007-08-22 16:44 <DIR> d-------- C:\Program Files\QuickTime
2007-08-22 16:44 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-22 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-22 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-22 16:40 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2007-08-22 16:21 <DIR> d-------- C:\DOCUME~1\Debbie\APPLIC~1\MailFrontier
2007-08-21 12:30 512 --a------ C:\ScanSectorLog.dat
2007-08-20 21:52 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-08-20 21:52 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-20 21:52 <DIR> d-------- C:\Program Files\Picasa2
2007-08-20 21:09 <DIR> d-------- C:\DOCUME~1\Tony\APPLIC~1\Leadertech
2007-08-20 20:48 <DIR> d-------- C:\DOCUME~1\Tony\APPLIC~1\Google
2007-08-20 20:44 <DIR> d-------- C:\Program Files\Google
2007-08-20 20:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-20 20:30 <DIR> d-------- C:\DOCUME~1\Tony\APPLIC~1\MailFrontier
2007-08-20 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-20 20:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-20 19:48 <DIR> d-------- C:\Program Files\Common Files\HP
2007-08-20 19:47 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-08-20 19:47 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-20 19:45 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-08-20 19:45 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-08-20 19:45 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-08-20 19:45 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-08-20 19:45 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-08-20 19:45 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-08-20 19:45 <DIR> d-------- C:\TEMP
2007-08-20 19:43 <DIR> d-------- C:\Program Files\HP
2007-08-20 19:42 69,374 --a------ C:\WINDOWS\hpoins05.dat
2007-08-20 19:42 19,696 --------- C:\WINDOWS\hpomdl05.dat
2007-08-19 18:52 <DIR> d-------- C:\Program Files\ActivIdentity
2007-08-19 18:51 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-19 14:11 <DIR> d-------- C:\WINDOWS\system32\Backup
2007-08-19 14:11 <DIR> d-------- C:\WINDOWS\SQLHotfix
2007-08-19 14:10 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-08-19 14:10 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-08-19 14:10 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-08-19 14:09 <DIR> d-------- C:\Program Files\Microsoft Visual Studio .NET 2003
2007-08-19 14:09 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-08-19 14:09 <DIR> d-------- C:\Program Files\Common Files\Crystal Decisions
2007-08-19 14:07 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-08-19 12:52 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-08-19 12:51 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-08-19 12:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-08-19 12:50 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-08-19 12:50 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-08-19 12:50 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-08-19 12:50 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2007-08-19 12:50 <DIR> d-------- C:\WUTemp
2007-08-19 12:47 <DIR> dr-h----- C:\MSOCache
2007-08-19 12:44 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-08-19 12:39 <DIR> d-------- C:\Program Files\Analog Devices
2007-08-19 12:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Citrix
2007-08-19 12:33 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2007-08-19 12:33 145,408 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2007-08-19 12:33 145,408 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2007-08-19 12:33 12,288 --a------ C:\WINDOWS\system32\e100bmsg.dll
2007-08-19 12:33 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2007-08-19 12:33 <DIR> d-------- C:\drvrtmp
2007-08-19 07:26 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-08-19 07:26 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-08-19 07:24 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 15:21 530464 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-15 15:20 8108 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-15 15:20 4640 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-15 15:20 1484 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-06 16:14 75248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-06 16:14 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-19 12:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-19 11:50 --------- d-------- C:\Program Files\Intel
2007-08-19 11:43 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-19 11:37 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-15_101745.07 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 83,432 2007-09-06 20:14:04 C:\WINDOWS\system32\vsdata.dll
----a-w 395,080 2007-09-06 20:14:28 C:\WINDOWS\system32\vsdatant.sys
----a-w 157,160 2007-09-06 20:14:04 C:\WINDOWS\system32\vsinit.dll
----a-w 103,912 2007-09-06 20:14:04 C:\WINDOWS\system32\vsmonapi.dll
----a-w 275,944 2007-09-06 20:14:04 C:\WINDOWS\system32\vspubapi.dll
----a-w 71,144 2007-09-06 20:14:04 C:\WINDOWS\system32\vsregexp.dll
----a-w 472,552 2007-09-06 20:14:06 C:\WINDOWS\system32\vsutil.dll
----a-w 46,568 2007-09-06 20:14:06 C:\WINDOWS\system32\vswmi.dll
----a-w 99,816 2007-09-06 20:14:06 C:\WINDOWS\system32\vsxml.dll
----a-w 83,432 2007-09-06 20:14:06 C:\WINDOWS\system32\zlcomm.dll
----a-w 71,144 2007-09-06 20:14:08 C:\WINDOWS\system32\zlcommdb.dll
---h--w 4,212 2007-09-15 19:20:56 C:\WINDOWS\system32\zllictbl.dat
----a-w 186,128 2007-07-19 19:10:32 C:\WINDOWS\system32\drivers\klif.sys
----a-w 370,208 2007-09-06 20:13:56 C:\WINDOWS\system32\ZoneLabs\av.dll
----a-w 99,816 2007-09-06 20:13:56 C:\WINDOWS\system32\ZoneLabs\camupd.dll
----a-w 128,480 2007-09-06 20:13:58 C:\WINDOWS\system32\ZoneLabs\fbl.dll
----a-w 38,376 2007-09-06 20:13:58 C:\WINDOWS\system32\ZoneLabs\featuremap.dll
----a-w 321,016 2007-09-06 20:13:58 C:\WINDOWS\system32\ZoneLabs\imsecure.dll
----a-w 714,208 2007-08-15 19:45:42 C:\WINDOWS\system32\ZoneLabs\qrbase.dll
----a-w 787,936 2007-08-15 19:45:44 C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
----a-w 173,544 2007-09-06 20:14:00 C:\WINDOWS\system32\ZoneLabs\scheduler.dll
----a-w 5,509,633 2007-09-14 20:00:40 C:\WINDOWS\system32\ZoneLabs\spyware.dat
----a-w 1,500,640 2007-08-15 19:45:44 C:\WINDOWS\system32\ZoneLabs\srescan.dll
----a-w 50,416 2007-06-11 16:44:10 C:\WINDOWS\system32\ZoneLabs\srescan.sys
----a-w 456,168 2007-09-06 20:14:02 C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
----a-w 833,248 2007-08-01 10:30:04 C:\WINDOWS\system32\ZoneLabs\updating.dll
----a-w 149,032 2007-09-06 20:14:18 C:\WINDOWS\system32\ZoneLabs\updclient.exe
----a-w 108,008 2007-09-06 20:14:04 C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
----a-w 79,336 2007-09-06 20:14:04 C:\WINDOWS\system32\ZoneLabs\vsdb.dll
----a-w 75,304 2007-09-06 20:14:18 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
----a-w 2,024,936 2007-09-06 20:14:04 C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
----a-w 1,345,000 2007-09-06 20:14:06 C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
----a-w 239,080 2007-09-06 20:14:06 C:\WINDOWS\system32\ZoneLabs\vsvault.dll
----a-w 177,640 2007-09-06 20:14:08 C:\WINDOWS\system32\ZoneLabs\zlparser.dll
----a-w 8,104,448 2007-09-15 19:14:34 C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
----a-w 79,344 2007-09-06 20:14:08 C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
----a-w 382,440 2007-09-06 20:14:08 C:\WINDOWS\system32\ZoneLabs\zlsre.dll
----a-w 120,296 2007-09-06 20:14:08 C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
----a-w 274,432 2007-08-24 23:31:48 C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
----a-w 186,128 2007-07-19 19:10:32 C:\WINDOWS\system32\ZoneLabs\avsys\klif_32.sys
----a-w 135,168 2007-08-24 23:31:48 C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
----a-w 38,140 2007-09-15 19:20:57 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
----a-w 110,360 2007-07-19 19:10:32 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
----a-w 186,128 2007-07-19 19:10:32 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
----a-w 110,360 2007-05-31 04:03:48 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
----a-w 127,768 2007-07-19 19:10:28 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
----a-w 45,056 2007-05-31 04:03:50 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
----a-w 288,144 2007-09-06 20:14:30 C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
----a-w 152,976 2007-09-06 20:14:30 C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
----a-w 26,000 2007-09-06 20:14:30 C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
----a-w 1,361,296 2007-09-06 20:14:32 C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
----a-w 71,056 2007-09-06 20:14:32 C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
----a-w 30,184 2007-09-06 20:15:50 C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
----a-w 30,216 2007-09-06 20:15:52 C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
----a-w 214,528 2007-09-06 20:15:52 C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
----a-w 3,266,040 2007-09-06 20:15:54 C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
----atw 16,384 2007-09-15 19:21:05 C:\WINDOWS\Temp\Perflib_Perfdata_1f4.dat
.
----a-w 83,432 2007-06-22 01:54:30 C:\WINDOWS\system32\vsdata.dll
----a-w 394,984 2007-06-22 01:54:52 C:\WINDOWS\system32\vsdatant.sys
----a-w 157,160 2007-06-22 01:54:32 C:\WINDOWS\system32\vsinit.dll
----a-w 103,912 2007-06-22 01:54:32 C:\WINDOWS\system32\vsmonapi.dll
----a-w 275,944 2007-06-22 01:54:32 C:\WINDOWS\system32\vspubapi.dll
----a-w 71,144 2007-06-22 01:54:32 C:\WINDOWS\system32\vsregexp.dll
----a-w 472,552 2007-06-22 01:54:34 C:\WINDOWS\system32\vsutil.dll
----a-w 46,568 2007-06-22 01:54:34 C:\WINDOWS\system32\vswmi.dll
----a-w 99,816 2007-06-22 01:54:34 C:\WINDOWS\system32\vsxml.dll
----a-w 83,432 2007-06-22 01:54:34 C:\WINDOWS\system32\zlcomm.dll
----a-w 71,144 2007-06-22 01:54:34 C:\WINDOWS\system32\zlcommdb.dll
---h--w 4,212 2007-09-15 14:05:00 C:\WINDOWS\system32\zllictbl.dat
----a-w 175,376 2007-05-31 04:03:48 C:\WINDOWS\system32\drivers\klif.sys
----a-w 366,112 2007-06-22 01:54:24 C:\WINDOWS\system32\ZoneLabs\av.dll
----a-w 99,816 2007-06-22 01:54:24 C:\WINDOWS\system32\ZoneLabs\camupd.dll
----a-w 128,480 2007-06-22 01:54:24 C:\WINDOWS\system32\ZoneLabs\fbl.dll
----a-w 38,376 2007-06-22 01:54:26 C:\WINDOWS\system32\ZoneLabs\featuremap.dll
----a-w 321,016 2007-06-22 01:54:26 C:\WINDOWS\system32\ZoneLabs\imsecure.dll
----a-w 714,208 2007-08-23 14:00:32 C:\WINDOWS\system32\ZoneLabs\qrbase.dll
----a-w 787,936 2007-08-23 14:00:32 C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
----a-w 173,544 2007-06-22 01:54:28 C:\WINDOWS\system32\ZoneLabs\scheduler.dll
----a-w 5,509,633 2007-09-14 20:00:38 C:\WINDOWS\system32\ZoneLabs\spyware.dat
----a-w 1,500,640 2007-08-23 14:00:32 C:\WINDOWS\system32\ZoneLabs\srescan.dll
----a-w 50,152 2007-08-23 14:00:32 C:\WINDOWS\system32\ZoneLabs\srescan.sys
----a-w 456,168 2007-06-22 01:54:28 C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
----a-w 833,248 2007-08-21 00:46:38 C:\WINDOWS\system32\ZoneLabs\updating.dll
----a-w 144,936 2007-06-22 01:54:46 C:\WINDOWS\system32\ZoneLabs\updclient.exe
----a-w 108,008 2007-06-22 01:54:30 C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
----a-w 79,336 2007-06-22 01:54:30 C:\WINDOWS\system32\ZoneLabs\vsdb.dll
----a-w 75,304 2007-06-22 01:54:46 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
----a-w 2,024,936 2007-06-22 01:54:32 C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
----a-w 1,345,000 2007-06-22 01:54:32 C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
----a-w 243,176 2007-06-22 01:54:34 C:\WINDOWS\system32\ZoneLabs\vsvault.dll
----a-w 177,640 2007-06-22 01:54:36 C:\WINDOWS\system32\ZoneLabs\zlparser.dll
----a-w 8,098,304 2007-09-15 13:26:05 C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
----a-w 79,344 2007-06-22 01:54:36 C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
----a-w 378,344 2007-06-22 01:54:36 C:\WINDOWS\system32\ZoneLabs\zlsre.dll
----a-w 120,296 2007-06-22 01:54:36 C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
----a-w 258,048 2007-05-31 04:03:16 C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
----a-w 175,376 2007-05-31 04:03:48 C:\WINDOWS\system32\ZoneLabs\avsys\klif_32.sys
----a-w 118,784 2007-05-31 04:03:18 C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
----a-w 224,956 2007-09-15 14:05:01 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
----a-w 288,144 2007-06-22 01:54:54 C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
----a-w 152,976 2007-06-22 01:54:54 C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
----a-w 26,000 2007-06-22 01:54:54 C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
----a-w 1,361,296 2007-06-22 01:54:54 C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
----a-w 71,056 2007-06-22 01:54:54 C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
----a-w 30,184 2007-06-22 01:56:16 C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
----a-w 30,216 2007-06-22 01:56:16 C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
----a-w 210,432 2007-06-22 01:56:16 C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
----a-w 3,229,176 2007-06-22 01:56:18 C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07]
"accrdsub"="C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" [2006-11-10 12:28]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 12:27:58]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
C:\WINDOWS\System32\ackpbsc.dll 2006-11-10 12:28 189952 C:\WINDOWS\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll 2006-11-10 12:28 261632 C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

R2 acachsrv;ActivClient Authentication Service;C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
R2 acautoup;ActivClient Auto-Update Service;C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
R2 accoca;ActivClient Middleware Service;C:\Program Files\ActivIdentity\ActivClient\accoca.exe
R3 GKUPRO2D;GKUPRO2D;C:\WINDOWS\System32\Drivers\GKUPRO2D.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
Contents of the 'Scheduled Tasks' folder
"2007-08-22 20:44:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 15:21:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-15 15:22:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-15 15:22
C:\ComboFix2.txt ... 2007-09-15 10:39
C:\ComboFix3.txt ... 2007-09-15 10:18
.
--- E O F ---

#9 fdrywall

fdrywall
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 15 September 2007 - 02:28 PM

Here is a copy of the HijackThis log. One question - should ZoneAlarm Security Suite be running when I scan with Combofix or HijackThis?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:31 PM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZinw12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\System32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4316 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 16 September 2007 - 06:46 AM

One question - should ZoneAlarm Security Suite be running when I scan with Combofix or HijackThis?

Thats ok,don't be concerned about.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreloa d.ocx
Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#11 fdrywall

fdrywall
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 17 September 2007 - 03:43 PM

Will send HijackThis next.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/17/2007 at 04:37 PM

Application Version : 3.9.1008

Core Rules Database Version : 3307
Trace Rules Database Version: 1313

Scan type : Complete Scan
Total Scan Time : 00:17:06

Memory items scanned : 379
Memory threats detected : 0
Registry items scanned : 4920
Registry threats detected : 4
File items scanned : 21218
File threats detected : 81

Adware.Tracking Cookie
C:\Documents and Settings\Debbie\Cookies\debbie@partner2profit[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@qnsr[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@track.bestbuy[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@tremor.adbureau[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@ad[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@www.xctrk[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@2o7[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@ads.glispa[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@casalemedia[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@msnportal.112.2o7[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@go.winantispyware[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@ex=0_[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@edge.ru4[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@adserver.easyad[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@counter.surfcounters[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@ads.pointroll[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@mediatraffic[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@overture[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@711-50835-15510-1[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@advertising[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@atdmt[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@cpvfeed[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@ads4.blastro[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@hitbox[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@72569526[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@winantispyware[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@www.burstnet[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@zedo[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@burstnet[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@ads.addynamix[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@apmebf[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@statse.webtrendslive[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@antispyware[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@ehg-bestbuy.hitbox[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@tase[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@revsci[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@ad.yieldmanager[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@statcounter[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@monstercom.112.2o7[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@nextag[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@fastclick[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@focalex[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@specificclick[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@adopt.specificclick[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@mediaplex[2].txt
C:\Documents and Settings\Debbie\Cookies\debbie@tase[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@eas.apm.emediate[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@53912102[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@date.ventivmedia[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@doubleclick[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@tribalfusion[1].txt
C:\Documents and Settings\Debbie\Cookies\debbie@www.burstbeacon[1].txt
C:\Documents and Settings\Tony\Cookies\tony@67.15.239[1].txt
C:\Documents and Settings\Tony\Cookies\tony@ad.directaclick[2].txt
C:\Documents and Settings\Tony\Cookies\tony@adopt.specificclick[1].txt
C:\Documents and Settings\Tony\Cookies\tony@ads.adbrite[2].txt
C:\Documents and Settings\Tony\Cookies\tony@azoogleads[1].txt
C:\Documents and Settings\Tony\Cookies\tony@counter.surfcounters[1].txt
C:\Documents and Settings\Tony\Cookies\tony@cpvfeed[2].txt
C:\Documents and Settings\Tony\Cookies\tony@homeclick[1].txt
C:\Documents and Settings\Tony\Cookies\tony@interclick[2].txt
C:\Documents and Settings\Tony\Cookies\tony@servedby.adxpower[2].txt
C:\Documents and Settings\Tony\Cookies\tony@winantispyware[1].txt
C:\Documents and Settings\Tony\Cookies\tony@www.homeclick[1].txt
C:\Documents and Settings\Tony\Cookies\tony@www.winantispyware[1].txt
C:\Documents and Settings\Tony\Cookies\tony@yoursexygames[1].txt

Adware.AdSponsor
HKCR\AppId\AdBand.DLL
HKCR\AppId\AdBand.DLL#AppID

Adware.AdSponsor/ISM
HKU\S-1-5-21-1202660629-706699826-725345543-1005\Software\antica
HKU\S-1-5-21-1202660629-706699826-725345543-1005\Software\BndDrive
C:\Documents and Settings\Debbie\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Debbie\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Debbie\Start Menu\Programs\Internet Speed Monitor
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDLOADER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\ISM.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{24C94CC4-C2F7-48B1-BCE9-021CB68C8711}\RP39\A0004292.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{24C94CC4-C2F7-48B1-BCE9-021CB68C8711}\RP39\A0004293.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{24C94CC4-C2F7-48B1-BCE9-021CB68C8711}\RP41\A0004406.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{24C94CC4-C2F7-48B1-BCE9-021CB68C8711}\RP41\A0004407.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE.VIR

Adware.ISM/BndDrive
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDDRIVE3.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{24C94CC4-C2F7-48B1-BCE9-021CB68C8711}\RP39\A0004291.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{24C94CC4-C2F7-48B1-BCE9-021CB68C8711}\RP41\A0004405.DLL

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OEMBIOS32.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{24C94CC4-C2F7-48B1-BCE9-021CB68C8711}\RP42\A0004800.DLL

#12 fdrywall

fdrywall
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 17 September 2007 - 03:45 PM

The computer seems to be running better - I am not getting popups so far.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:30 PM, on 9/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZinw12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\System32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4412 bytes

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 17 September 2007 - 06:23 PM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
C:\QOOBOX

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Top 10 reasons to install Windows XP Service Pack 2 (SP2):
http://www.microsoft.com/windowsxp/sp2/topten.mspx
Posted Image
Posted Image

#14 fdrywall

fdrywall
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 20 September 2007 - 04:15 AM

It seems to be ok now except for a few things in the TEMP file and a few win 32 items coming up as spyware/virus.

I downloaded the Service Pack 2 for XP.

Just wanted to make sure I am still good to go.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:26 AM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\System32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4569 bytes

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 20 September 2007 - 06:40 AM

a few win 32 items coming up as spyware/virus.

Could you post more details on the above please Debbie,what exactly are these items you're refering to.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users