Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Issues


  • This topic is locked This topic is locked
18 replies to this topic

#1 deroock

deroock

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 28 September 2007 - 12:32 AM

Recently cleared my laptop, but now my desktop is showing issues with adware/spyware. Any help I can get would be much appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:38 PM, on 9/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\avp.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\Program Files\Rabio\X_se.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\mgrs.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\Rabio\Rabio.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [avp] C:\WINNT\avp.exe
O4 - HKLM\..\Run: [plite731] C:\WINNT\plite731.exe
O4 - HKLM\..\Run: [csrss] C:\WINNT\csrss.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\.DEFAULT\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Rabio - Auto Update.lnk = C:\Program Files\Rabio\se.exe (User 'Default user')
O4 - .DEFAULT User Startup: Rabio - Auto Update.lnk = C:\Program Files\Rabio\se.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186201066015
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03FF3822-FC90-45E2-9196-D435EC664787}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{47AC360A-6657-4770-8591-7271A19368F5}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0FB0BEF-3FC8-4C57-957A-6FB6EFBA6916}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\..\{03FF3822-FC90-45E2-9196-D435EC664787}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.114
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SWFu\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\system32\.exe (file missing)

--
End of file - 13789 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 PM

Posted 03 October 2007 - 05:52 PM

Hello deroock,

I am SifuMike and I will be helping you. You have several infections on this computer, one of them is a backdoor. :thumbsup:

What antivirus program are you running???

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.

You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.

 If your system does not reboot, then reboot it manually.

Please boot into Normal Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\Rabio\Rabio.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll
O4 - HKLM\..\Run: [plite731] C:\WINNT\plite731.exe
O4 - HKLM\..\Run: [csrss] C:\WINNT\csrss.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\.DEFAULT\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" (User 'Default user')
O4 - .DEFAULT Startup: Rabio - Auto Update.lnk = C:\Program Files\Rabio\se.exe (User 'Default user')
O4 - .DEFAULT User Startup: Rabio - Auto Update.lnk = C:\Program Files\Rabio\se.exe (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{03FF3822-FC90-45E2-9196-D435EC664787}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{47AC360A-6657-4770-8591-7271A19368F5}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0FB0BEF-3FC8-4C57-957A-6FB6EFBA6916}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\..\{03FF3822-FC90-45E2-9196-D435EC664787}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.114


Close HijackThis, and click OK to proceed.


Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Using Windows Explorer, delete the following files/folders in bold

C:\WINNT\plite731.exe <==file
C:\WINNT\csrss.exe <==file
C:\WINNT\SYSTEM32\mgrs.exe <==file
C:\Program Files\ISM\ISMModule4.exe <==file
C:\Program Files\WinAble\winable.exe <==file
C:\Program Files\Rabio\se.exe <==file




* Go to Control Panel. -
If you are using Windows XP's Category View, select the Network and Internet Connections category.
If you are in Classic View, go to the next step.

Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Higlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

* Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter.
Exit the command window.


Reboot your computer again.

Please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

Edited by SifuMike, 03 October 2007 - 06:17 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 04 October 2007 - 10:39 AM

Thanks SifuMike, things seem to be better already. A few notes, my Add/Remove programs window freezes every time it is opened - so I couldn't uninstall old Java, I only installed the new Java I downloaded. Also, only the ISMModule4.exe file was there, the other 5 were not. Oh, I'm running AVG antispyware, but thinking I should try something new. Here are the logs:


Username "Ian" - 10/04/2007 8:01:12 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csvpm.exe"
Service: "Windows Management Service" = C:\WINNT\System32\dmlso.exe

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{03FF3822-FC90-45E2-9196-D435EC664787}
"nameserver"="85.255.115.42,85.255.112.114" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{47AC360A-6657-4770-8591-7271A19368F5}
"nameserver"="85.255.115.42,85.255.112.114" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C0FB0BEF-3FC8-4C57-957A-6FB6EFBA6916}
"nameserver"="85.255.115.42,85.255.112.114" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{03FF3822-FC90-45E2-9196-D435EC664787}
"DhcpNameServer"="85.255.115.42,85.255.112.114" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C0FB0BEF-3FC8-4C57-957A-6FB6EFBA6916}
"DhcpNameServer"="85.255.115.42,85.255.112.114" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}AEEB3A97188D-2FEB-EE44-ABEC-4AC35731{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}965D5A7F9711-822A-7374-0873-E86864F8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "lnmmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C3AC830EB38E-D83A-A4A4-4D4F-3D03492E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "oslmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "mpvsc" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmmnl.exe" Value deleted
HKCR\CLSID\{3342B3B2-E594-4F39-B1DE-1B5F03F1759A}\_h\4 Deleted.
....
~~~~~ Misc files.
C:\WINNT\System32\kernel32.exe Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"EnsoniqMixer"="C:\\WINNT\\SYSTEM32\\starter.exe"
"LWBMOUSE"="C:\\Program Files\\Browser Mouse\\Browser Mouse\\1.0\\lwbwheel.exe"
"Synchronization Manager"="mobsync.exe /logon"
"TangoManager"="C:\\PROGRA~1\\FRONTI~1\\FRONTI~1\\app\\TANGOM~1.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"LogitechVideo[inspector]"="C:\\Program Files\\Logitech\\Video\\InstallHelper.exe /inspect"
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\Communications_Helper.exe\""
"LVCOMSX"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\LVComSX.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CountrySelection"="pctptt.exe"
"plite731"="C:\\WINNT\\plite731.exe"
"csrss"="C:\\WINNT\\csrss.exe"
"smgr"="mgrs.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ISMModule4"="\"C:\\Program Files\\ISM\\ISMModule4.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:04 AM, on 10/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186201066015
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - Unknown owner - C:\WINNT\System32\pctspk.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

--
End of file - 12189 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 PM

Posted 04 October 2007 - 12:20 PM

Hello deroock,

my Add/Remove programs window freezes every time it is opened - so I couldn't uninstall old Java, I only installed the new Java I downloaded.



We need to get rid of the old Java versions, as the malware will see it and use it. After we have your computer clean your Add/Remove may work.

Also, only the ISMModule4.exe file was there, the other 5 were not. Oh, I'm running AVG antispyware, but thinking I should try something new.


AVG is a very good program, so I dont think it would have stopped you from getting infected; however, you can try another and see how you like it.

Here are three antivirus programs I recommend, all free:

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

*****************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)


These are optinal fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - Startup: PowerReg Scheduler.exe
(Description: PowerREGISTER from Leadertech. Registration reminder as used by Iomega, Hasbro & Microprose - amongst others. Unnecessary. Removing this entry will free up a small amount of system resources. )

*****************************

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Using Windows Explorer, delete the following files/folders in bold

c:\winnt\system32\ldcore.dll <==file

*****************************

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

If your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
 
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 04 October 2007 - 01:13 PM

Things seem to continue to improve....
The file ldcore.dll was not present for deleting....
My Add/Remove programs window still freezes....
Here are the logs. THanks!

ComboFix 07-10-04.6 - Ian 10/04/2007 10:47:06.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.89 [GMT -8:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Default User\Application Data\.rdr.ini
C:\Documents and Settings\Ian\~tmp1174.exe
C:\Documents and Settings\Ian\Application Data\.rdr.ini
C:\Documents and Settings\Ian\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Ian\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Ian\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\paging.sys
C:\Program Files\Common Files\winctl.dll
C:\Program Files\ISM
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\s2f.exe
C:\Program Files\TTC.dll
C:\Program Files\WinAble
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bass.exe
C:\temp\brr
C:\Temp\fse
C:\WINNT\b122.exe
C:\WINNT\Downloaded Program Files\ODCTOOLS
C:\WINNT\mgrs.exe
C:\WINNT\svchost.exe
C:\WINNT\system32\b02FdUe
C:\WINNT\system32\C2
C:\WINNT\system32\f02WtR
C:\WINNT\system32\G1
C:\WINNT\system32\G11
C:\WINNT\system32\G3
C:\WINNT\system32\G7
C:\WINNT\system32\G7\rs25.exe
C:\WINNT\system32\G9
C:\WINNT\system32\ldinfo.ldr
C:\WINNT\system32\n.ini
C:\WINNT\system32\NSIS.Library.RegTool.v2.{75D33490-33D9-4BC6-ABD7-2D69D0C8B1FA}.exe
C:\WINNT\system32\win
C:\WINNT\system32\Z1
C:\WINNT\system32\Z2
C:\WINNT\system32\Z2\mon33dll.exe
C:\WINNT\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-04 02:03 85,504 --a------ C:\wndynak.exe
2007-10-03 07:19 74 --ah----- C:\aaw7boot.cmd
2007-10-02 22:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-02 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-02 22:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-28 11:09 6,817 --a------ C:\sysmwzk.exe
2007-09-28 11:09 6,817 --a------ C:\ie_updater.exe
2007-09-27 06:44 111,709 --a------ C:\sysiweq.exe
2007-09-26 23:43 7,168 --a------ C:\hltg.exe
2007-09-26 23:39 9,728 --a------ C:\Program Files\hlpsrv.exe
2007-09-26 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-09-26 23:36 880,968 --a------ C:\WINNT\system32\RabioSetup.exe
2007-09-26 23:36 706,500 --a------ C:\Temp\regit.exe
2007-09-26 23:36 41 --a------ C:\WINNT\plite731_uninstaller_.bat
2007-09-26 23:36 294,088 --a------ C:\WINNT\aid4xwin.exe
2007-09-26 23:36 17,408 --a------ C:\psapi.dll
2007-09-26 23:36 <DIR> d-a------ C:\Program Files\Rabio
2007-09-26 23:35 <DIR> d-------- C:\WINNT\system32\vMW06a
2007-09-26 23:35 <DIR> d-------- C:\Temp\xOe
2007-09-26 23:19 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\Lavasoft
2007-09-26 08:04 <DIR> d-------- C:\Program Files\Temporary
2007-09-26 08:00 <DIR> d--hs---- C:\WINNT\SWFu
2007-09-26 08:00 <DIR> d-------- C:\WINNT\system32\GB9
2007-09-26 08:00 <DIR> d-------- C:\WINNT\system32\DL1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
99-12-11 00:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
99-07-01 23:36 162816 --a------ C:\WINNT\Fonts\wget.exe
07-10-03 22:08 --------- d-a------ C:\Program Files\Norton AntiVirus
07-10-03 21:38 --------- d-------- C:\Program Files\iTunes
07-08-07 13:57 8064 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
07-08-07 13:56 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
07-08-05 15:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
07-08-03 20:36 --------- d-------- C:\Program Files\SpywareBlaster
07-07-27 16:51 54524754 --a------ C:\registrybackup.reg
02-07-24 19:36 271 --ah----- C:\Program Files\desktop.ini
02-07-24 19:36 21952 --ah----- C:\Program Files\folder.htt
02-06-10 04:41 106496 --a------ C:\WINNT\Fonts\moo.dll
1989-12-12 18:10:10 436,352 --sh--r C:\WINNT\tkvrbuvA.exe
2003-01-22 15:27:55 2 --shatr C:\WINNT\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnsoniqMixer"="C:\WINNT\SYSTEM32\starter.exe" [01-10-03 19:22 ]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [01-03-25 20:35 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 C:\WINNT\system32\mobsync.exe]
"TangoManager"="C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE" [03-08-05 13:49 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 ]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [06-06-26 08:46 ]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [06-06-26 09:33 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07-07-01 00:20 ]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [07-04-28 21:54 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 18:58 ]
"CountrySelection"="pctptt.exe" [00-01-04 23:41 C:\WINNT\system32\pctptt.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [06-08-09 14:41 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"=mobsync.exe /logon
"CountrySelection"=pctptt.exe
"LoadQM"=loadqm.exe
"Adaptec DirectCD"=C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
"HP CD-Writer"=C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 14:39:09 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-04 18:55:00 C:\WINNT\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 10:54:57
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-04 10:58:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-10-04 10:57
C:\ComboFix2.txt ... 07-07-31 10:19
C:\ComboFix3.txt ... 07-07-25 18:11
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:04 AM, on 10/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186201066015
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - Unknown owner - C:\WINNT\System32\pctspk.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

--
End of file - 11674 bytes

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 PM

Posted 04 October 2007 - 01:57 PM

Hello deroock,

I see you installed Norton AntiVirus. It is a good very good antivirus program, but the downside is that it uses a lot of memory and causes system slowness.

See here: What Really Slows Windows Down http://www.thepcspy.com/articles/other/wha..._windows_down/5


How did you mangage to get so infected?
Were you surfing without an antivirus program?
Is this a company computer?
This is the most malware I have seen in a long time. :thumbsup:



You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\wndynak.exe


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\sysmwzk.exe
C:\ie_updater.exe
C:\sysiweq.exe
C:\hltg.exe
C:\Program Files\hlpsrv.exe
C:\WINNT\system32\RabioSetup.exe
C:\WINNT\aid4xwin.exe



Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

Edited by SifuMike, 04 October 2007 - 02:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 04 October 2007 - 08:24 PM

The most malware in a long time? That's depressing. Not sure how it got so out of control. I did have AVG running the whole time. It seemed to start as one downloader and then snowballed after that. BTW, I had forgotten Norton (2002) was still on this computer.... I just uninstalled it. Here is the evaluation of all the files:

File wndynak.exe received on 10.05.2007 01:23:31 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.5.0 2007.10.04 -
AntiVir 7.6.0.20 2007.10.04 -
Authentium 4.93.8 2007.10.04 -
Avast 4.7.1051.0 2007.10.04 Win32:Fakealert
AVG 7.5.0.488 2007.10.04 -
BitDefender 7.2 2007.10.05 -
CAT-QuickHeal 9.00 2007.10.03 -
ClamAV 0.91.2 2007.10.04 -
DrWeb 4.44.0.09170 2007.10.04 -
eSafe 7.0.15.0 2007.10.04 suspicious Trojan/Worm
eTrust-Vet 31.2.5187 2007.10.04 -
Ewido 4.0 2007.10.04 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.04 -
F-Prot 4.3.2.48 2007.10.04 -
F-Secure 6.70.13030.0 2007.10.05 -
Ikarus T3.1.1.12 2007.10.04 -
Kaspersky 7.0.0.125 2007.10.05 not-virus:Hoax.Win32.Renos.jl
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 -
NOD32v2 2572 2007.10.04 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.10.04 -
Panda 9.0.0.4 2007.10.05 -
Prevx1 V2 2007.10.05 Heuristic: Suspicious File With Persistence
Rising 19.43.30.00 2007.10.04 -
Sophos 4.22.0 2007.10.04 Mal/Behav-112
Sunbelt 2.2.907.0 2007.10.04 -
Symantec 10 2007.10.04 -
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.03 suspected of Embedded.Trojan.Fakealert.256
VirusBuster 4.3.26:9 2007.10.04 -
Webwasher-Gateway 6.0.1 2007.10.04 Win32.ModifiedUPX.gen!90 (suspicious)

Additional information
File size: 85504 bytes
MD5: c2703cdc3752df90ebf0d4af07572955
SHA1: b10307406286686a5b2331b49e94d32b3b8d0390
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...D1414000AFF1473


File sysmwzk.exe received on 10.05.2007 01:32:05 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.5.0 2007.10.04 Win-Trojan/Polycrypt.6817
AntiVir 7.6.0.20 2007.10.04 TR/PCK.PolyCrypt.C.53
Authentium 4.93.8 2007.10.04 -
Avast 4.7.1051.0 2007.10.04 -
AVG 7.5.0.488 2007.10.04 Generic8.CIN
BitDefender 7.2 2007.10.05 Trojan.PWS.LDPinch.TAW
CAT-QuickHeal 9.00 2007.10.03 Trojan.PolyCrypt.c
ClamAV 0.91.2 2007.10.04 PUA.Packed.UPack-2
DrWeb 4.44.0.09170 2007.10.04 Trojan.Packed.166
eSafe 7.0.15.0 2007.10.04 Win32.PolyCrypt.c
eTrust-Vet 31.2.5187 2007.10.04 -
Ewido 4.0 2007.10.04 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.04 -
F-Prot 4.3.2.48 2007.10.04 -
F-Secure 6.70.13030.0 2007.10.05 Packed.Win32.PolyCrypt.c
Ikarus T3.1.1.12 2007.10.05 Trojan-Downloader.Win32.Zlob.and
Kaspersky 7.0.0.125 2007.10.05 Packed.Win32.PolyCrypt.c
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 VirTool:Win32/Obfuscator.P
NOD32v2 2572 2007.10.04 -
Norman 5.80.02 2007.10.04 W32/Suspicious_U.gen
Panda 9.0.0.4 2007.10.05 Adware/Lop
Prevx1 V2 2007.10.05 Malware.Gen
Rising 19.43.30.00 2007.10.04 Packer.RyCrypt
Sophos 4.22.0 2007.10.04 Mal/EncPk-AW
Sunbelt 2.2.907.0 2007.10.04 Trojan-PWS.LDPinch.TAW
Symantec 10 2007.10.04 -
TheHacker 6.2.6.076 2007.10.03 Trojan/PolyCrypt.c
VBA32 3.12.2.4 2007.10.03 -
VirusBuster 4.3.26:9 2007.10.04 Packed/Upack
Webwasher-Gateway 6.0.1 2007.10.04 Trojan.PCK.PolyCrypt.C.53

Additional information
File size: 6817 bytes
MD5: a2a280e5da227a62341bc1b10aa4aaa5
SHA1: 1cf0c500f73723bc30ffdc398aa3f8afc21bb933
packers: UPack
packers: PE_Patch, UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...D972C00C3BD53FA


File ie_updater.exe received on 10.05.2007 01:39:20 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.5.0 2007.10.04 Win-Trojan/Polycrypt.6817
AntiVir 7.6.0.20 2007.10.04 TR/PCK.PolyCrypt.C.53
Authentium 4.93.8 2007.10.04 -
Avast 4.7.1051.0 2007.10.04 -
AVG 7.5.0.488 2007.10.04 Generic8.CIN
BitDefender 7.2 2007.10.05 Trojan.PWS.LDPinch.TAW
CAT-QuickHeal 9.00 2007.10.03 Trojan.PolyCrypt.c
ClamAV 0.91.2 2007.10.04 PUA.Packed.UPack-2
DrWeb 4.44.0.09170 2007.10.04 Trojan.Packed.166
eSafe 7.0.15.0 2007.10.04 Win32.PolyCrypt.c
eTrust-Vet 31.2.5187 2007.10.04 -
Ewido 4.0 2007.10.04 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.04 -
F-Prot 4.3.2.48 2007.10.04 -
F-Secure 6.70.13030.0 2007.10.05 Packed.Win32.PolyCrypt.c
Ikarus T3.1.1.12 2007.10.05 Trojan-Downloader.Win32.Zlob.and
Kaspersky 7.0.0.125 2007.10.05 Packed.Win32.PolyCrypt.c
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 VirTool:Win32/Obfuscator.P
NOD32v2 2572 2007.10.04 -
Norman 5.80.02 2007.10.04 W32/Suspicious_U.gen
Panda 9.0.0.4 2007.10.05 Adware/Lop
Rising 19.43.30.00 2007.10.04 Packer.RyCrypt
Sophos 4.22.0 2007.10.04 Mal/EncPk-AW
Sunbelt 2.2.907.0 2007.10.04 Trojan-PWS.LDPinch.TAW
Symantec 10 2007.10.04 -
TheHacker 6.2.6.076 2007.10.03 Trojan/PolyCrypt.c
VBA32 3.12.2.4 2007.10.03 -
VirusBuster 4.3.26:9 2007.10.04 Packed/Upack
Webwasher-Gateway 6.0.1 2007.10.04 Trojan.PCK.PolyCrypt.C.53

Additional information
File size: 6817 bytes
MD5: a2a280e5da227a62341bc1b10aa4aaa5
SHA1: 1cf0c500f73723bc30ffdc398aa3f8afc21bb933
packers: UPack
packers: PE_Patch, UPack


File sysiweq.exe received on 10.05.2007 01:56:07 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.5.0 2007.10.04 -
AntiVir 7.6.0.20 2007.10.04 -
Authentium 4.93.8 2007.10.04 -
Avast 4.7.1051.0 2007.10.04 -
AVG 7.5.0.488 2007.10.04 -
BitDefender 7.2 2007.10.05 -
CAT-QuickHeal 9.00 2007.10.03 -
ClamAV 0.91.2 2007.10.04 -
DrWeb 4.44.0.09170 2007.10.04 Trojan.DownLoader.24715
eSafe 7.0.15.0 2007.10.04 -
eTrust-Vet 31.2.5187 2007.10.04 -
Ewido 4.0 2007.10.04 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.04 -
F-Prot 4.3.2.48 2007.10.04 -
F-Secure 6.70.13030.0 2007.10.05 Trojan-Downloader.Win32.VB.bkw
Ikarus T3.1.1.12 2007.10.05 Trojan-Downloader.Win32.VB.awj
Kaspersky 7.0.0.125 2007.10.05 Trojan-Downloader.Win32.VB.bkw
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 TrojanDownloader:Win32/VB.AAF
NOD32v2 2572 2007.10.04 Win32/TrojanDownloader.VB.AWJ
Norman 5.80.02 2007.10.04 -
Panda 9.0.0.4 2007.10.05 -
Prevx1 V2 2007.10.05 -
Rising 19.43.30.00 2007.10.04 -
Sophos 4.22.0 2007.10.04 -
Sunbelt 2.2.907.0 2007.10.02 Trojan-Downloader.Gen
Symantec 10 2007.10.04 -
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.03 -
VirusBuster 4.3.26:9 2007.10.04 -
Webwasher-Gateway 6.0.1 2007.10.04 -

Additional information
File size: 111709 bytes
MD5: 3a8a1644d0bfa13b66f53df6bb5a749b
SHA1: 202a27cc628084d89ae607d4c803376efadd1307
Sunbelt info: Trojan-Downloader.Gen is a group of Trojan Downloaders which install download and install multiple unwanted applications of adware and malware from remote servers.


File hltg.exe received on 10.05.2007 02:02:49 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.5.0 2007.10.04 -
AntiVir 7.6.0.20 2007.10.04 TR/Dldr.Tiny.3028.B
Authentium 4.93.8 2007.10.04 W32/Nurech.gen3
Avast 4.7.1051.0 2007.10.04 -
AVG 7.5.0.488 2007.10.04 -
BitDefender 7.2 2007.10.05 -
CAT-QuickHeal 9.00 2007.10.03 -
ClamAV 0.91.2 2007.10.04 -
DrWeb 4.44.0.09170 2007.10.04 Trojan.DownLoader.31899
eSafe 7.0.15.0 2007.10.04 -
eTrust-Vet 31.2.5187 2007.10.04 -
Ewido 4.0 2007.10.04 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.04 PossibleThreat
F-Prot 4.3.2.48 2007.10.04 W32/Nurech.gen3
F-Secure 6.70.13030.0 2007.10.05 -
Ikarus T3.1.1.12 2007.10.05 -
Kaspersky 7.0.0.125 2007.10.05 Heur.Downloader
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 TrojanDownloader:Win32/Nurech.R
NOD32v2 2572 2007.10.04 a variant of Win32/TrojanDownloader.Nurech.NBU
Norman 5.80.02 2007.10.04 -
Panda 9.0.0.4 2007.10.05 Suspicious file
Prevx1 V2 2007.10.05 Heuristic: Suspicious File With Bad Child Associations
Rising 19.43.30.00 2007.10.04 -
Sophos 4.22.0 2007.10.04 -
Sunbelt 2.2.907.0 2007.10.04 -
Symantec 10 2007.10.04 Downloader
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.03 Trojan.DownLoader.31899
VirusBuster 4.3.26:9 2007.10.04 -
Webwasher-Gateway 6.0.1 2007.10.04 Trojan.Dldr.Tiny.3028.B

Additional information
File size: 7168 bytes
MD5: d65dbdced6131b24ea2dbc9dcd095e88
SHA1: 2ea4c12e216db36cd11503539bb5819fc23e2ada
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...FDC5B00CC39458A


File hlpsrv.exe received on 10.05.2007 02:14:37 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.5.0 2007.10.04 -
AntiVir 7.6.0.20 2007.10.04 TR/Dldr.Nonaco.A.1
Authentium 4.93.8 2007.10.04 -
Avast 4.7.1051.0 2007.10.04 Win32:Small-FHL
AVG 7.5.0.488 2007.10.04 Downloader.Generic6.KRG
BitDefender 7.2 2007.10.05 -
CAT-QuickHeal 9.00 2007.10.03 TrojanDownloader.Alphabet.gen
ClamAV 0.91.2 2007.10.04 -
DrWeb 4.44.0.09170 2007.10.04 -
eSafe 7.0.15.0 2007.10.04 Win32.Alphabet.gen
eTrust-Vet 31.2.5187 2007.10.04 Win32/VMalum.ZOX
Ewido 4.0 2007.10.04 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.04 Adware/Nonaco
F-Prot 4.3.2.48 2007.10.04 -
F-Secure 6.70.13030.0 2007.10.05 Trojan-Downloader.Win32.Alphabet.gen
Ikarus T3.1.1.12 2007.10.05 Trojan-Downloader.Win32.Alphabet
Kaspersky 7.0.0.125 2007.10.05 Trojan-Downloader.Win32.Alphabet.gen
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 -
NOD32v2 2572 2007.10.04 -
Norman 5.80.02 2007.10.04 W32/DLoader.DQKS
Panda 9.0.0.4 2007.10.05 Adware/DriveCleaner
Prevx1 V2 2007.10.05 Malware.Gen
Rising 19.43.30.00 2007.10.04 -
Sophos 4.22.0 2007.10.05 Troj/Nonaco-Gen
Sunbelt 2.2.907.0 2007.10.02 VIPRE.Suspicious
Symantec 10 2007.10.04 Backdoor.Trojan
TheHacker 6.2.6.076 2007.10.03 Trojan/Downloader.Alphabet.gen
VBA32 3.12.2.4 2007.10.03 Trojan-Downloader.Win32.Alphabet.gen
VirusBuster 4.3.26:9 2007.10.04 -
Webwasher-Gateway 6.0.1 2007.10.04 Trojan.Dldr.Nonaco.A.1

Additional information
File size: 9728 bytes
MD5: 384644a7f28ba71d1a5c1ba5edbe3ab0
SHA1: 3004e180a96daa6b9b78e4f506a6b1a071857273
packers: PECompact
packers: embedded, PecBundle, PECompact
packers: PE_Patch.PECompact, PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...B865A00E80AA5A3
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


File RabioSetup.exe received on 10.05.2007 02:18:10 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.5.0 2007.10.04 -
AntiVir 7.6.0.20 2007.10.04 -
Authentium 4.93.8 2007.10.04 -
Avast 4.7.1051.0 2007.10.04 -
AVG 7.5.0.488 2007.10.04 Adware Generic2.TAD
BitDefender 7.2 2007.10.05 -
CAT-QuickHeal 9.00 2007.10.03 AdWare.Rabio.a (Not a Virus)
ClamAV 0.91.2 2007.10.04 -
DrWeb 4.44.0.09170 2007.10.04 -
eSafe 7.0.15.0 2007.10.04 -
eTrust-Vet 31.2.5187 2007.10.04 -
Ewido 4.0 2007.10.04 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.04 Adware/Rabio
F-Prot 4.3.2.48 2007.10.04 -
F-Secure 6.70.13030.0 2007.10.05 -
Ikarus T3.1.1.12 2007.10.05 -
Kaspersky 7.0.0.125 2007.10.05 not-a-virus:AdWare.Win32.Rabio.a
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 -
NOD32v2 2572 2007.10.04 -
Norman 5.80.02 2007.10.04 -
Panda 9.0.0.4 2007.10.05 -
Prevx1 V2 2007.10.05 -
Rising 19.43.30.00 2007.10.04 -
Sophos 4.22.0 2007.10.05 -
Sunbelt 2.2.907.0 2007.10.04 Rabio
Symantec 10 2007.10.04 -
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.03 -
VirusBuster 4.3.26:9 2007.10.04 -
Webwasher-Gateway 6.0.1 2007.10.04 -

Additional information
File size: 880968 bytes
MD5: 8f0d25d45dee5d84b6dce184e895b352
SHA1: 2aa7eae3c4928d82ab0bc51a60482f30541bfdaf


File aid4xwin.exe received on 10.05.2007 03:16:17 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.5.0 2007.10.04 -
AntiVir 7.6.0.20 2007.10.04 -
Authentium 4.93.8 2007.10.04 -
Avast 4.7.1051.0 2007.10.04 -
AVG 7.5.0.488 2007.10.04 -
BitDefender 7.2 2007.10.05 -
CAT-QuickHeal 9.00 2007.10.03 -
ClamAV 0.91.2 2007.10.04 -
DrWeb 4.44.0.09170 2007.10.04 -
eSafe 7.0.15.0 2007.10.04 -
eTrust-Vet 31.2.5187 2007.10.04 -
Ewido 4.0 2007.10.04 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.04 Download/Agent
F-Prot 4.3.2.48 2007.10.04 -
F-Secure 6.70.13030.0 2007.10.05 -
Ikarus T3.1.1.12 2007.10.05 -
Kaspersky 7.0.0.125 2007.10.05 not-a-virus:Downloader.Win32.Agent.q
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 -
NOD32v2 2572 2007.10.04 -
Norman 5.80.02 2007.10.04 -
Panda 9.0.0.4 2007.10.05 -
Prevx1 V2 2007.10.05 Heuristic: Suspicious File With Bad Child Associations
Rising 19.43.30.00 2007.10.04 -
Sophos 4.22.0 2007.10.05 -
Sunbelt 2.2.907.0 2007.10.04 Hyperlinks Rotator
Symantec 10 2007.10.05 -
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.03 AdWare.Win32.Agent.jl
VirusBuster 4.3.26:9 2007.10.04 -
Webwasher-Gateway 6.0.1 2007.10.04 -

Additional information
File size: 294088 bytes
MD5: 824ca78c4a4ea0911d677e43c2d74a7c
SHA1: 18da2ab9ec13cf43bbd474eba4693e2e1df96b64
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...E2951005CDF16ED

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 PM

Posted 04 October 2007 - 10:04 PM

Hello deroock,


Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\wndynak.exe
C:\sysmwzk.exe
C:\ie_updater.exe
C:\sysiweq.exe
C:\hltg.exe
C:\Program Files\hlpsrv.exe
C:\WINNT\system32\RabioSetup.exe
C:\WINNT\plite731_uninstaller_.bat
C:\WINNT\aid4xwin.exe

Folder:: 
C:\Program Files\Rabio



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 05 October 2007 - 02:11 AM

Thanks again, here are the files:

ComboFix 07-10-04.6 - Ian 10/04/2007 23:57:48.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.72 [GMT -8:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian\Desktop\CFScript.txt

FILE::
C:\hltg.exe
C:\ie_updater.exe
C:\Program Files\hlpsrv.exe
C:\sysiweq.exe
C:\sysmwzk.exe
C:\WINNT\aid4xwin.exe
C:\WINNT\plite731_uninstaller_.bat
C:\WINNT\system32\RabioSetup.exe
C:\wndynak.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\hltg.exe
C:\ie_updater.exe
C:\Program Files\hlpsrv.exe
C:\Program Files\Rabio
C:\Program Files\Rabio\ExecutionDll.dll
C:\Program Files\Rabio\Rabio.dll.intermediate.manifest
C:\Program Files\Rabio\resellerid.txt
C:\Program Files\Rabio\se.info
C:\Program Files\Rabio\se.original
C:\Program Files\Rabio\Setup.log
C:\Program Files\Rabio\un_RabioSetup_16702.exe
C:\Program Files\Rabio\un_RabioSetup_16702.txt
C:\Program Files\Rabio\X_se.exe
C:\Program Files\Rabio\X_se.log
C:\sysiweq.exe
C:\sysmwzk.exe
C:\WINNT\aid4xwin.exe
C:\WINNT\plite731_uninstaller_.bat
C:\WINNT\system32\RabioSetup.exe
C:\wndynak.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 )))))))))))))))))))))))))))))))
.

2007-10-03 07:19 74 --ah----- C:\aaw7boot.cmd
2007-10-02 22:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-02 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-02 22:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-09-26 23:36 706,500 --a------ C:\Temp\regit.exe
2007-09-26 23:36 17,408 --a------ C:\psapi.dll
2007-09-26 23:35 <DIR> d-------- C:\WINNT\system32\vMW06a
2007-09-26 23:35 <DIR> d-------- C:\Temp\xOe
2007-09-26 23:19 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\Lavasoft
2007-09-26 08:04 <DIR> d-------- C:\Program Files\Temporary
2007-09-26 08:00 <DIR> d--hs---- C:\WINNT\SWFu
2007-09-26 08:00 <DIR> d-------- C:\WINNT\system32\GB9
2007-09-26 08:00 <DIR> d-------- C:\WINNT\system32\DL1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
99-12-11 00:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
99-07-01 23:36 162816 --a------ C:\WINNT\Fonts\wget.exe
07-10-05 00:01 --------- d-a------ C:\Program Files\Common Files\Symantec Shared
07-10-04 16:05 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
07-10-03 21:38 --------- d-------- C:\Program Files\iTunes
07-08-07 13:57 8064 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
07-08-07 13:56 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
07-08-05 15:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
07-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
07-07-27 16:51 54524754 --a------ C:\registrybackup.reg
02-07-24 19:36 271 --ah----- C:\Program Files\desktop.ini
02-07-24 19:36 21952 --ah----- C:\Program Files\folder.htt
02-06-10 04:41 106496 --a------ C:\WINNT\Fonts\moo.dll
1989-12-12 18:10:10 436,352 --sh--r C:\WINNT\tkvrbuvA.exe
2003-01-22 15:27:55 2 --shatr C:\WINNT\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnsoniqMixer"="C:\WINNT\SYSTEM32\starter.exe" [01-10-03 19:22 ]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [01-03-25 20:35 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 C:\WINNT\system32\mobsync.exe]
"TangoManager"="C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE" [03-08-05 13:49 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 ]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [06-06-26 08:46 ]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [06-06-26 09:33 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07-07-01 00:20 ]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [07-04-28 21:54 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 18:58 ]
"CountrySelection"="pctptt.exe" [00-01-04 23:41 C:\WINNT\system32\pctptt.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [06-08-09 14:41 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"=mobsync.exe /logon
"CountrySelection"=pctptt.exe
"LoadQM"=loadqm.exe
"Adaptec DirectCD"=C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
"HP CD-Writer"=C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys
R1 hpcd2k;hpcd2k;C:\WINNT\system32\drivers\hpcd2k.sys
R1 pwd_2K;pwd_2K;C:\WINNT\system32\drivers\pwd_2K.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R1 weeCamke;weeCamke;C:\WINNT\system32\DRIVERS\WEECAMKE.SYS
R3 FastNIC;PCI 10/100 Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\FastNIC.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS
S2 Pctspk;W2K PCtel speaker phone;C:\WINNT\System32\pctspk.exe
S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS
S3 gsplittm;gsplittm;\??\C:\DOCUME~1\Ian\LOCALS~1\Temp\gsplittm.sys
S3 L2XPSR;L2XPSR;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS
S3 LOGNT;LOGNT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\lognt.sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINNT\system32\drivers\LVPrcMon.sys
S3 NdUsbMsn;ARESCOM USB Network Adapter;C:\WINNT\system32\DRIVERS\NdUsbMsn.sys
S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS
S3 NTSTPL2;NTSTPL2;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 14:39:09 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-05 08:02:34 C:\WINNT\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-05 00:02:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-05 0:04:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-10-05 00:04
C:\ComboFix2.txt ... 07-10-04 10:58
C:\ComboFix3.txt ... 07-07-31 10:19
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:22 AM, on 10/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186201066015
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - Unknown owner - C:\WINNT\System32\pctspk.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

--
End of file - 11307 bytes

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 PM

Posted 05 October 2007 - 12:48 PM

Hi deroock,

One more file to check. :thumbsup:

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINNT\tkvrbuvA.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 06 October 2007 - 03:35 PM

Hi. This file looks like more badness.....
Thanks again for your help.

File tkvrbuvA.exe received on 10.06.2007 22:32:09 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.6.0 2007.10.05 Win-Trojan/Xema.variant
AntiVir 7.6.0.20 2007.10.05 TR/Dropper.Gen
Authentium 4.93.8 2007.10.05 -
Avast 4.7.1051.0 2007.10.06 Win32:VB-ESA
AVG 7.5.0.488 2007.10.06 Downloader.Generic5.DMS
BitDefender 7.2 2007.10.06 Adware.WebBuying.D
CAT-QuickHeal 9.00 2007.10.06 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.10.06 -
DrWeb 4.44.0.09170 2007.10.06 -
eSafe 7.0.15.0 2007.10.04 suspicious Trojan/Worm
eTrust-Vet 31.2.5190 2007.10.06 Win32/SillyDl.DAS
Ewido 4.0 2007.10.06 -
FileAdvisor 1 2007.10.06 -
Fortinet 3.11.0.0 2007.10.06 -
F-Prot 4.3.2.48 2007.10.05 -
F-Secure 6.70.13030.0 2007.10.06 Trojan-Downloader.Win32.VB.ang
Ikarus T3.1.1.12 2007.10.06 Trojan-Downloader.Win32.VB.ang
Kaspersky 7.0.0.125 2007.10.06 Trojan-Downloader.Win32.VB.ang
McAfee 5135 2007.10.05 Generic Downloader.s
Microsoft 1.2908 2007.10.06 -
NOD32v2 2575 2007.10.06 probably a variant of Win32/TrojanDownloader.VB
Norman 5.80.02 2007.10.05 -
Panda 9.0.0.4 2007.10.06 Suspicious file
Prevx1 V2 2007.10.06 Trojan.SysMon
Rising 19.43.50.00 2007.10.06 -
Sophos 4.22.0 2007.10.06 -
Sunbelt 2.2.907.0 2007.10.06 VIPRE.Suspicious
Symantec 10 2007.10.06 -
TheHacker 6.2.6.078 2007.10.06 Trojan/Downloader.VB.ang
VBA32 3.12.2.4 2007.10.05 Trojan-Downloader.Win32.VB.ang
VirusBuster 4.3.26:9 2007.10.06 Trojan.DL.VB.GDE
Webwasher-Gateway 6.0.1 2007.10.05 Trojan.Dropper.Gen

Additional information
File size: 436352 bytes
MD5: 1ed5b94ac5800a0412c719462c4e2d7b
SHA1: b4bbe02947eddb571628cc952019fdd3d1bcfef7
packers: TeLock
packers: PE_Patch, TeLock
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...44FF5006D1EF541
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 PM

Posted 06 October 2007 - 03:58 PM

Hello deroock,


Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINNT\tkvrbuvA.exe



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 06 October 2007 - 05:50 PM

Here are the logfiles. The 1st time Combofix ran, it locked up. So I repeated the whole procedure again. Thanks.

ComboFix 07-10-04.6 - Ian 2007-10-06 15:37:13.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.97 [GMT -8:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian\Desktop\CFScript.txt

FILE::
C:\WINNT\tkvrbuvA.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.

2007-10-06 15:37 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_320.dat
2007-10-06 15:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_334.dat
2007-10-03 07:19 74 --ah----- C:\aaw7boot.cmd
2007-10-02 22:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-02 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-02 22:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-09-26 23:36 706,500 --a------ C:\Temp\regit.exe
2007-09-26 23:36 17,408 --a------ C:\psapi.dll
2007-09-26 23:35 <DIR> d-------- C:\WINNT\system32\vMW06a
2007-09-26 23:35 <DIR> d-------- C:\Temp\xOe
2007-09-26 23:19 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\Lavasoft
2007-09-26 08:04 <DIR> d-------- C:\Program Files\Temporary
2007-09-26 08:00 <DIR> d--hs---- C:\WINNT\SWFu
2007-09-26 08:00 <DIR> d-------- C:\WINNT\system32\GB9
2007-09-26 08:00 <DIR> d-------- C:\WINNT\system32\DL1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
99-12-11 00:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
99-07-01 23:36 162816 --a------ C:\WINNT\Fonts\wget.exe
07-10-05 00:01 --------- d-a------ C:\Program Files\Common Files\Symantec Shared
07-10-04 16:05 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
07-10-03 21:38 --------- d-------- C:\Program Files\iTunes
07-08-07 13:57 8064 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
07-08-07 13:56 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
07-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
07-07-27 16:51 54524754 --a------ C:\registrybackup.reg
02-07-24 19:36 271 --ah----- C:\Program Files\desktop.ini
02-07-24 19:36 21952 --ah----- C:\Program Files\folder.htt
02-06-10 04:41 106496 --a------ C:\WINNT\Fonts\moo.dll
2003-01-22 15:27:55 2 --shatr C:\WINNT\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnsoniqMixer"="C:\WINNT\SYSTEM32\starter.exe" [01-10-03 19:22 ]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [01-03-25 20:35 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 C:\WINNT\system32\mobsync.exe]
"TangoManager"="C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE" [03-08-05 13:49 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 ]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [06-06-26 08:46 ]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [06-06-26 09:33 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07-07-01 00:20 ]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [07-04-28 21:54 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 18:58 ]
"CountrySelection"="pctptt.exe" [00-01-04 23:41 C:\WINNT\system32\pctptt.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [06-08-09 14:41 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"=mobsync.exe /logon
"CountrySelection"=pctptt.exe
"LoadQM"=loadqm.exe
"Adaptec DirectCD"=C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
"HP CD-Writer"=C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys
R1 hpcd2k;hpcd2k;C:\WINNT\system32\drivers\hpcd2k.sys
R1 pwd_2K;pwd_2K;C:\WINNT\system32\drivers\pwd_2K.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R1 weeCamke;weeCamke;C:\WINNT\system32\DRIVERS\WEECAMKE.SYS
R3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS
R3 FastNIC;PCI 10/100 Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\FastNIC.sys
R3 L2XPSR;L2XPSR;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS
S2 Pctspk;W2K PCtel speaker phone;C:\WINNT\System32\pctspk.exe
S3 gsplittm;gsplittm;\??\C:\DOCUME~1\Ian\LOCALS~1\Temp\gsplittm.sys
S3 LOGNT;LOGNT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\lognt.sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINNT\system32\drivers\LVPrcMon.sys
S3 NdUsbMsn;ARESCOM USB Network Adapter;C:\WINNT\system32\DRIVERS\NdUsbMsn.sys
S3 NTSTPL2;NTSTPL2;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 14:39:09 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-06 23:34:02 C:\WINNT\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 15:39:38
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-06 15:41:09
C:\ComboFix-quarantined-files.txt ... 07-10-06 15:40
C:\ComboFix2.txt ... 07-10-05 00:04
C:\ComboFix3.txt ... 07-10-04 10:58
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:24 PM, on 10/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186201066015
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - Unknown owner - C:\WINNT\System32\pctspk.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

--
End of file - 11153 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:14 PM

Posted 06 October 2007 - 09:07 PM

Hello deroock,

I know that this shouldn't be there

gsplittm;gsplittm;\??\C:\DOCUME~1\Ian\LOCALS~1\Temp\gsplittm.sys



Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\DOCUME~1\Ian\LOCALS~1\Temp\gsplittm.sys

Driver:: 
gsplittm



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 07 October 2007 - 06:14 PM

Thanks! Running quite well now. Here are the latest logs:

ComboFix 07-10-04.6 - Ian 10/07/2007 15:26:57.5 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.65 [GMT -8:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian\Desktop\CFScript.txt

FILE::
C:\DOCUME~1\Ian\LOCALS~1\Temp\gsplittm.sys
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-03 07:19 74 --ah----- C:\aaw7boot.cmd
2007-10-02 22:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-02 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-02 22:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-09-26 23:36 706,500 --a------ C:\Temp\regit.exe
2007-09-26 23:36 17,408 --a------ C:\psapi.dll
2007-09-26 23:35 <DIR> d-------- C:\WINNT\system32\vMW06a
2007-09-26 23:35 <DIR> d-------- C:\Temp\xOe
2007-09-26 23:19 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\Lavasoft
2007-09-26 08:04 <DIR> d-------- C:\Program Files\Temporary
2007-09-26 08:00 <DIR> d--hs---- C:\WINNT\SWFu
2007-09-26 08:00 <DIR> d-------- C:\WINNT\system32\GB9
2007-09-26 08:00 <DIR> d-------- C:\WINNT\system32\DL1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
99-12-11 00:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
99-07-01 23:36 162816 --a------ C:\WINNT\Fonts\wget.exe
07-10-05 00:01 --------- d-a------ C:\Program Files\Common Files\Symantec Shared
07-10-04 16:05 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
07-10-03 21:38 --------- d-------- C:\Program Files\iTunes
07-08-07 13:57 8064 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
07-08-07 13:56 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
07-07-27 16:51 54524754 --a------ C:\registrybackup.reg
02-07-24 19:36 271 --ah----- C:\Program Files\desktop.ini
02-07-24 19:36 21952 --ah----- C:\Program Files\folder.htt
02-06-10 04:41 106496 --a------ C:\WINNT\Fonts\moo.dll
2003-01-22 15:27:55 2 --shatr C:\WINNT\winstart.bat
.

((((((((((((((((((((((((((((( snapshot@Thu 2007-10-04_10.55.41.56 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 10,718 2007-10-07 23:30:22 C:\WINNT\SoftwareDistribution\EventCache\{7967BA41-3B8E-4BDE-ABB3-58DC9A8E3053}.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnsoniqMixer"="C:\WINNT\SYSTEM32\starter.exe" [01-10-03 19:22 ]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [01-03-25 20:35 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 C:\WINNT\system32\mobsync.exe]
"TangoManager"="C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE" [03-08-05 13:49 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 ]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [06-06-26 08:46 ]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [06-06-26 09:33 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07-07-01 00:20 ]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [07-04-28 21:54 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 18:58 ]
"CountrySelection"="pctptt.exe" [00-01-04 23:41 C:\WINNT\system32\pctptt.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [06-08-09 14:41 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"=mobsync.exe /logon
"CountrySelection"=pctptt.exe
"LoadQM"=loadqm.exe
"Adaptec DirectCD"=C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
"HP CD-Writer"=C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys
R1 hpcd2k;hpcd2k;C:\WINNT\system32\drivers\hpcd2k.sys
R1 pwd_2K;pwd_2K;C:\WINNT\system32\drivers\pwd_2K.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R1 weeCamke;weeCamke;C:\WINNT\system32\DRIVERS\WEECAMKE.SYS
R3 FastNIC;PCI 10/100 Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\FastNIC.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS
S2 Pctspk;W2K PCtel speaker phone;C:\WINNT\System32\pctspk.exe
S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS
S3 L2XPSR;L2XPSR;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS
S3 LOGNT;LOGNT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\lognt.sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINNT\system32\drivers\LVPrcMon.sys
S3 NdUsbMsn;ARESCOM USB Network Adapter;C:\WINNT\system32\DRIVERS\NdUsbMsn.sys
S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS
S3 NTSTPL2;NTSTPL2;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 14:39:09 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-07 23:32:24 C:\WINNT\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 15:32:24
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-07 15:34:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-10-07 15:34
C:\ComboFix2.txt ... 07-10-06 15:41
C:\ComboFix3.txt ... 07-10-05 00:04
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:24 PM, on 10/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IAN\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186201066015
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - Unknown owner - C:\WINNT\System32\pctspk.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

--
End of file - 11153 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users