Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde Plus Many Others


  • Please log in to reply
46 replies to this topic

#1 ProdigalCid

ProdigalCid

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:01 AM

Posted 07 October 2007 - 12:27 PM

Hello,

Recently my idiot brother got my computer infected with a trojan downloader. Among the many infections I wound up with were Virtumonde, WinAntiSpyware 2007, and Win32:LAP. I've tried my best to clean them out without success. I'm still getting plenty of pop-ups...and now I cant even run Ad-aware anymore because my computer immediately crashes if I try and start it.

I keep getting these error messages...

STOP: 0x0000008E (0xc0000092, 0x1000181E, 0xB844cc1c, 0x00000000)
STOP: 0x1000008E (0xc0000092, 0x10001345, 0xb82d3b6c, 0x00000000)


Hope you guys can lend a hand...this is starting to drive me nuts. Hijackthis log to follow.

Many thanks in advance,
Cid


------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:39 AM, on 10/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKLM\..\Run: [{50-09-99-92-ZN}] C:\DOCUME~1\Cid\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\mbdlkhmv.dll",sitypnow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Cid\Local Settings\Temp\thinksnet.exe
O4 - Startup: TA_Start.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1B62A9D-77F9-4576-AB22-DE26A84FC1D2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A85ACE-0B79-449A-95FA-825E3D7884A0}: NameServer = 85.255.114.54,85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: phiWhsBrExZ - {24A50993-8E0F-A339-E097-00965BE8879B} - C:\WINDOWS\System32\wmz.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Movie Maker\baqykyhdihd.html

--
End of file - 7163 bytes

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2007 - 03:24 AM

Hi ProdigalCid and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 ProdigalCid

ProdigalCid
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles

Posted 08 October 2007 - 01:43 PM

Did as instructed....




ComboFix 07-10-07.2 - Cid 2007-10-08 11:20:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.585 [GMT -7:00]
Running from: C:\Documents and Settings\Cid\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Cid\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Cid\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\Movie Maker\baqykyhdihd.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\cagdrury.dll
C:\WINDOWS\system32\dyruituh.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\SYSTEM32\hutiuryd.ini
C:\WINDOWS\system32\kdxdogap.dll
C:\WINDOWS\system32\kernel32.exe
C:\WINDOWS\SYSTEM32\klnmp.ini
C:\WINDOWS\SYSTEM32\klnmp.tmp
C:\WINDOWS\SYSTEM32\pagodxdk.ini
C:\WINDOWS\SYSTEM32\pmnlk.dll
C:\WINDOWS\SYSTEM32\yrurdgac.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 10:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 00:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-07 13:24 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-10-07 13:24 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-10-07 12:45 54,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbapifs.sys
2007-10-07 12:45 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-10-07 12:42 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-07 12:42 <DIR> d-------- C:\Documents and Settings\Cid\Application Data\Sunbelt Software
2007-10-07 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-07 12:27 <DIR> d-------- C:\Program Files\CCleaner
2007-10-07 12:25 <DIR> d-------- C:\Spyware Tools
2007-10-07 09:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 20:37 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-09-23 20:37 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-09-23 20:37 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-09-23 20:37 801,144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-23 20:37 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-09-23 20:37 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-09-23 20:37 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-09-23 20:37 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-23 17:23 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-09-16 19:06 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-09-15 15:21 <DIR> d--hs---- C:\WINDOWS\SXNhdXJvIFBlcmV6IEpyLg
2007-09-15 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\GRB3
2007-09-15 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\DLL2
2007-09-15 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\chks2
2007-09-08 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 10:00 --------- d-------- C:\Program Files\Lx_cats
2007-10-08 01:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-16 18:39 --------- d-------- C:\Program Files\Lexmark 6200 Series
2007-09-16 18:38 --------- d-------- C:\Program Files\Linksys EasyLink Advisor
2007-09-09 20:04 --------- d-------- C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-08 16:06 --------- d-------- C:\Program Files\Lavasoft
2007-09-08 16:03 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 11:26 27120 --a------ C:\WINDOWS\SYSTEM32\SBBD.exe
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\SXNhdXJvIFBlcmV6IEpyLg\mrh1xrLSKI15wApdKHDVM0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61C40A32-96F8-C82B-D7FA-CD6933DADBBE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BED1413D-513A-47FC-9D0B-0B5F3F178C78}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 17:47]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 08:27]
"lxbumon.exe"="C:\Program Files\Lexmark 6200 Series\lxbumon.exe" [2004-08-20 04:30]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2004-08-24 15:26]
"EzPrint"="C:\Program Files\Lexmark 6200 Series\ezprint.exe" [2004-08-24 10:16]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-25 17:06]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-25 17:15]
"LXBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-08-20 06:53]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]
"NI.UWAS7_0001_N91M2703"="C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 21:07]
"ATI Launchpad"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk.disabled [2004-07-06 16:27:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"phiWhsBrExZ"= {24A50993-8E0F-A339-E097-00965BE8879B} - C:\WINDOWS\System32\wmz.dll [ ]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Remote Control"=C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
"DwlClient"=c:\Program Files\Common Files\Dell\EUSW\Support.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HostManager"=C:\Program Files\Common Files\AOL\1133913002\ee\AOLSoftware.exe
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"LVCOMSX"=C:\WINDOWS\System32\LVCOMSX.EXE

R0 SBHR;SBHR;C:\WINDOWS\System32\drivers\sbhr.sys
R2 SBAPIFS;CounterSpy Filter Driver;C:\WINDOWS\System32\Drivers\Sbapifs.sys
S2 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\atintuxx.sys
S2 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\System32\DRIVERS\atinxsxx.sys
S3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\System32\DRIVERS\atinraxx.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

.
Contents of the 'Scheduled Tasks' folder
"2005-01-16 19:12:28 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2005-01-12 07:00:00 C:\WINDOWS\Tasks\W32TIME.job"
- C:\WINDOWS\SYSTEM32\W32TIME.DLL
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 11:26:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 11:30:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 11:30
C:\ComboFix2.txt ... 2007-10-08 00:54
C:\ComboFix3.txt ... 2007-10-07 20:38
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:57 AM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\Analyze.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {61C40A32-96F8-C82B-D7FA-CD6933DADBBE} - (no file)
O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: (no name) - {BED1413D-513A-47FC-9D0B-0B5F3F178C78} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1B62A9D-77F9-4576-AB22-DE26A84FC1D2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A85ACE-0B79-449A-95FA-825E3D7884A0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: phiWhsBrExZ - {24A50993-8E0F-A339-E097-00965BE8879B} - C:\WINDOWS\System32\wmz.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7745 bytes

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2007 - 02:03 PM

Looking better allready,lets see what else we can fix up.

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)

O2 - BHO: (no name) - {61C40A32-96F8-C82B-D7FA-CD6933DADBBE} - (no file)

O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)

O2 - BHO: (no name) - {BED1413D-513A-47FC-9D0B-0B5F3F178C78} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -

O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2) -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -

O21 - SSODL: phiWhsBrExZ - {24A50993-8E0F-A339-E097-00965BE8879B} - C:\WINDOWS\System32\wmz.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please download FixWareout from one of these mirrors:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

#5 ProdigalCid

ProdigalCid
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:01 AM

Posted 08 October 2007 - 03:24 PM

did as instructed....




Username "Cid" - 10/08/2007 12:42:09 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D9A85ACE-0B79-449A-95FA-825E3D7884A0}
"DhcpNameServer"="85.255.114.54,85.255.112.26" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}97689AEBBDAC-C769-FE24-F727-C5E535C0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A18D228E2C83-2EA8-C944-9723-44194B15{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "lfymd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "iglmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}50EDF48E57B4-A2DB-2454-7BE5-7507119E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "hodsc" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmyfl.exe" Value deleted
HKCR\CLSID\{BEF0F446-44C2-49B7-AACD-7AC014A4DF62}\_h\4 Deleted.
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"lxbumon.exe"="\"C:\\Program Files\\Lexmark 6200 Series\\lxbumon.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"EzPrint"="\"C:\\Program Files\\Lexmark 6200 Series\\ezprint.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LXBUCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBUtime.dll,_RunDLLEntry@16"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SBCSTray"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"
"SBRegRebootCleaner"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBRC.exe"
"NI.UWAS7_0001_N91M2703"="\"C:\\DOCUME~1\\Cid\\LOCALS~1\\Temp\\winaspsnet.exe\" -nag "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"EasyLinkAdvisor"="\"C:\\Program Files\\Linksys EasyLink Advisor\\LinksysAgent.exe\" /startup"
"ATI Launchpad"=""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:22 PM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\Analyze.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {61C40A32-96F8-C82B-D7FA-CD6933DADBBE} - (no file)
O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: (no name) - {BED1413D-513A-47FC-9D0B-0B5F3F178C78} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1B62A9D-77F9-4576-AB22-DE26A84FC1D2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A85ACE-0B79-449A-95FA-825E3D7884A0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7431 bytes

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2007 - 05:01 PM

208.67.216.0 - 208.67.223.255
Freedom Networks LLC
50 Freemont St.
16 Floor
San Francisco, CA
US

That sound about right for your Internet Provider??

Do me a favor,reboot the machine in safe mode and repeat the HijackThis fix part again,some of the entries may not show so dont worry about those but from the list I posted in my prior post,fix any of those entries that still exist.


Restart Normal and scan fresh with ComboFix,post the log it generates and lets go from there.

#7 ProdigalCid

ProdigalCid
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles

Posted 08 October 2007 - 09:38 PM

No, my ISP is RoadRunner of Southern California. I logged into my router and it shows the following...

Current Time: Mon, Oct 08 2007 19:07:08

Router Name: WRT54GS
Host Name:
Domain Name: socal.rr.com

Internet

Configuration Type
Login Type: Automatic Configuration - DHCP
IP Address: 76.175.210.237
Subnet Mask: 255.255.248.0
Default Gateway: 76.175.208.1



Earlier I rebooted into Safe Mode and ran ccCleaner, combofix, spybot s&d, ad-aware (since they are now working again), counterspy, and avast antivirus and let them do as they pleased. The only ones that found anything were the first 3. Ad-aware, counterspy, and avast came up clean. At that point I noticed your most recent post and did as you instructed...ran the Hijack This fix in Safe Mode and then ran Combofix in normal.

A curious observation: after restarting back into normal mode, something kept trying to run something called NI.UWAS7_0001_N91M2703 about every 30 seconds, but TeaTimer kept blocking the process. Unfortunately, after I started up Combofix it shut down TeaTimer and NI.UWAS7_0001_N91M2703 was reactivated.

Anywhos, Combofix says...




ComboFix 07-10-07.2 - Cid 2007-10-08 18:50:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.665 [GMT -7:00]
Running from: C:\Documents and Settings\Cid\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 15:43 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-10-08 15:43 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-10-08 15:04 <DIR> d-------- C:\VundoFix Backups
2007-10-08 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-10-08 10:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 00:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-07 12:45 54,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbapifs.sys
2007-10-07 12:45 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-10-07 12:42 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-07 12:42 <DIR> d-------- C:\Documents and Settings\Cid\Application Data\Sunbelt Software
2007-10-07 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-07 12:27 <DIR> d-------- C:\Program Files\CCleaner
2007-10-07 12:25 <DIR> d-------- C:\Spyware Tools
2007-10-07 09:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 20:37 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-09-23 20:37 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-09-23 20:37 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-09-23 20:37 801,144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-23 20:37 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-09-23 20:37 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-09-23 20:37 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-09-23 20:37 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-23 17:23 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-09-16 19:06 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-09-15 15:21 <DIR> d--hs---- C:\WINDOWS\SXNhdXJvIFBlcmV6IEpyLg
2007-09-15 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\GRB3
2007-09-15 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\DLL2
2007-09-15 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\chks2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 15:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 10:00 --------- d-------- C:\Program Files\Lx_cats
2007-09-16 18:39 --------- d-------- C:\Program Files\Lexmark 6200 Series
2007-09-16 18:38 --------- d-------- C:\Program Files\Linksys EasyLink Advisor
2007-09-09 20:04 --------- d-------- C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-08 16:06 --------- d-------- C:\Program Files\Lavasoft
2007-09-08 16:06 --------- d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-08 16:03 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 11:26 27120 --a------ C:\WINDOWS\SYSTEM32\SBBD.exe
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\SXNhdXJvIFBlcmV6IEpyLg\mrh1xrLSKI15wApdKHDVM0.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-10-08_11.27.48.20 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 53,436 2007-10-08 20:00:50 C:\WINDOWS\SYSTEM32\PERFC009.DAT
----a-w 381,692 2007-10-08 20:00:50 C:\WINDOWS\SYSTEM32\PERFH009.DAT
----a-w 16,384 2007-10-08 19:59:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
----a-w 32,768 2007-10-08 19:59:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
----a-w 32,768 2007-10-08 19:59:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----atw 16,384 2007-10-09 01:47:23 C:\WINDOWS\TEMP\Perflib_Perfdata_4d8.dat
.
----a-w 53,436 2007-04-02 02:29:20 C:\WINDOWS\SYSTEM32\PERFC009.DAT
----a-w 381,692 2007-04-02 02:29:20 C:\WINDOWS\SYSTEM32\PERFH009.DAT
----a-w 16,384 2007-10-08 18:13:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
----a-w 32,768 2007-10-08 18:13:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
----a-w 32,768 2007-10-08 18:13:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61C40A32-96F8-C82B-D7FA-CD6933DADBBE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BED1413D-513A-47FC-9D0B-0B5F3F178C78}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 17:47]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 08:27]
"lxbumon.exe"="C:\Program Files\Lexmark 6200 Series\lxbumon.exe" [2004-08-20 04:30]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2004-08-24 15:26]
"EzPrint"="C:\Program Files\Lexmark 6200 Series\ezprint.exe" [2004-08-24 10:16]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-25 17:06]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-25 17:15]
"LXBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-08-20 06:53]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]
"NI.UWAS7_0001_N91M2703"="C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 21:07]
"ATI Launchpad"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk.disabled [2004-07-06 16:27:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Remote Control"=C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
"DwlClient"=c:\Program Files\Common Files\Dell\EUSW\Support.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HostManager"=C:\Program Files\Common Files\AOL\1133913002\ee\AOLSoftware.exe
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"LVCOMSX"=C:\WINDOWS\System32\LVCOMSX.EXE

R0 SBHR;SBHR;C:\WINDOWS\System32\drivers\sbhr.sys
R2 SBAPIFS;CounterSpy Filter Driver;C:\WINDOWS\System32\Drivers\Sbapifs.sys
S2 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\atintuxx.sys
S2 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\System32\DRIVERS\atinxsxx.sys
S3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\System32\DRIVERS\atinraxx.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

.
Contents of the 'Scheduled Tasks' folder
"2005-01-16 19:12:28 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2005-01-12 07:00:00 C:\WINDOWS\Tasks\W32TIME.job"
- C:\WINDOWS\SYSTEM32\W32TIME.DLL
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 18:52:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 18:52:57
C:\ComboFix-quarantined-files.txt ... 2007-10-08 18:52
C:\ComboFix2.txt ... 2007-10-08 15:14
C:\ComboFix3.txt ... 2007-10-08 11:30
.
--- E O F ---

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 October 2007 - 04:51 AM

Copy all the test below to notepad and save it to the desktop with the name CFScript.txt

Folder::
C:\WINDOWS\SXNhdXJvIFBlcmV6IEpyLg
C:\WINDOWS\SYSTEM32\GRB3
C:\WINDOWS\SYSTEM32\DLL2
C:\WINDOWS\SYSTEM32\chks2
C:\DOCUME~1\Cid\LOCALS~1\Temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61C40A32-96F8-C82B-D7FA-CD6933DADBBE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BED1413D-513A-47FC-9D0B-0B5F3F178C78}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NI.UWAS7_0001_N91M2703"=-

Next,drag CFScript.txt on top of ComboFix.exe and the program will launch automatically and begin its process.


Once ComboFix has finished,physically unplug your internet connection and Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1B62A9D-77F9-4576-AB22-DE26A84FC1D2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A85ACE-0B79-449A-95FA-825E3D7884A0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button

Click Start--> Click Run--> Copy&Paste the following into the open Run box--> ipconfig /flushdns


Restart Normal,Reconnect your Internet and post the log from ComboFix and a fresh HijackThis log please.

Edited by Cretemonster, 09 October 2007 - 05:03 AM.


#9 ProdigalCid

ProdigalCid
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:01 AM

Posted 09 October 2007 - 11:26 AM

ComboFix 07-10-07.2 - Cid 2007-10-09 8:29:01.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.596 [GMT -7:00]
Running from: C:\Documents and Settings\Cid\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cid\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Cid\LOCALS~1\Temp
C:\DOCUME~1\Cid\LOCALS~1\Temp\~DFA9DA.tmp
C:\WINDOWS\SXNhdXJvIFBlcmV6IEpyLg
C:\WINDOWS\SXNhdXJvIFBlcmV6IEpyLg\mrh1xrLSKI15wApdKHDVM0.vbs
C:\WINDOWS\SYSTEM32\chks2
C:\WINDOWS\SYSTEM32\DLL2
C:\WINDOWS\SYSTEM32\GRB3

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 15:43 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-10-08 15:43 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-10-08 15:04 <DIR> d-------- C:\VundoFix Backups
2007-10-08 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-10-08 10:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 00:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-07 12:45 54,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbapifs.sys
2007-10-07 12:45 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-10-07 12:42 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-07 12:42 <DIR> d-------- C:\Documents and Settings\Cid\Application Data\Sunbelt Software
2007-10-07 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-07 12:27 <DIR> d-------- C:\Program Files\CCleaner
2007-10-07 12:25 <DIR> d-------- C:\Spyware Tools
2007-10-07 09:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 20:37 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-09-23 20:37 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-09-23 20:37 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-09-23 20:37 801,144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-23 20:37 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-09-23 20:37 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-09-23 20:37 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-09-23 20:37 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-23 17:23 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-09-16 19:06 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 15:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 10:00 --------- d-------- C:\Program Files\Lx_cats
2007-09-16 18:39 --------- d-------- C:\Program Files\Lexmark 6200 Series
2007-09-16 18:38 --------- d-------- C:\Program Files\Linksys EasyLink Advisor
2007-09-09 20:04 --------- d-------- C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-08 16:06 --------- d-------- C:\Program Files\Lavasoft
2007-09-08 16:06 --------- d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-08 16:03 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((( snapshot@2007-10-08_11.27.48.20 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 53,436 2007-10-08 20:00:50 C:\WINDOWS\SYSTEM32\PERFC009.DAT
----a-w 381,692 2007-10-08 20:00:50 C:\WINDOWS\SYSTEM32\PERFH009.DAT
----a-w 16,384 2007-10-09 01:47:32 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
----a-w 32,768 2007-10-09 01:47:32 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
----a-w 32,768 2007-10-09 01:47:32 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----atw 16,384 2007-10-09 15:31:53 C:\WINDOWS\TEMP\Perflib_Perfdata_56c.dat
.
----a-w 53,436 2007-04-02 02:29:20 C:\WINDOWS\SYSTEM32\PERFC009.DAT
----a-w 381,692 2007-04-02 02:29:20 C:\WINDOWS\SYSTEM32\PERFH009.DAT
----a-w 16,384 2007-10-08 18:13:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
----a-w 32,768 2007-10-08 18:13:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
----a-w 32,768 2007-10-08 18:13:37 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61C40A32-96F8-C82B-D7FA-CD6933DADBBE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BED1413D-513A-47FC-9D0B-0B5F3F178C78}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 17:47]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 08:27]
"lxbumon.exe"="C:\Program Files\Lexmark 6200 Series\lxbumon.exe" [2004-08-20 04:30]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2004-08-24 15:26]
"EzPrint"="C:\Program Files\Lexmark 6200 Series\ezprint.exe" [2004-08-24 10:16]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-25 17:06]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-25 17:15]
"LXBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-08-20 06:53]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]
"NI.UWAS7_0001_N91M2703"="C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 21:07]
"ATI Launchpad"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk.disabled [2004-07-06 16:27:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Remote Control"=C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
"DwlClient"=c:\Program Files\Common Files\Dell\EUSW\Support.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HostManager"=C:\Program Files\Common Files\AOL\1133913002\ee\AOLSoftware.exe
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"LVCOMSX"=C:\WINDOWS\System32\LVCOMSX.EXE

R0 SBHR;SBHR;C:\WINDOWS\System32\drivers\sbhr.sys
R2 SBAPIFS;CounterSpy Filter Driver;C:\WINDOWS\System32\Drivers\Sbapifs.sys
S2 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\atintuxx.sys
S2 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\System32\DRIVERS\atinxsxx.sys
S3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\System32\DRIVERS\atinraxx.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

.
Contents of the 'Scheduled Tasks' folder
"2005-01-16 19:12:28 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2005-01-12 07:00:00 C:\WINDOWS\Tasks\W32TIME.job"
- C:\WINDOWS\SYSTEM32\W32TIME.DLL
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 08:32:25
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 8:35:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 08:35
C:\ComboFix2.txt ... 2007-10-08 18:52
C:\ComboFix3.txt ... 2007-10-08 15:14
.
--- E O F ---







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:32 AM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Analyze.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {61C40A32-96F8-C82B-D7FA-CD6933DADBBE} - (no file)
O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: (no name) - {BED1413D-513A-47FC-9D0B-0B5F3F178C78} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 6909 bytes

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 October 2007 - 04:16 PM

I believe we are going to have to disable TeaTimer and reboot in safe mode to make those fixes with HijackThis.

Here is how to disable TeaTimer
http://www.russelltexas.com/malware/teatimer.htm

Once disabled,restart the machine in safe mode and Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {61C40A32-96F8-C82B-D7FA-CD6933DADBBE} - (no file)
O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: (no name) - {BED1413D-513A-47FC-9D0B-0B5F3F178C78} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" -nag

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Next,be sure you have physically unplugged your internet connection,so access to the net is unavailable during next boot session

Once unplugged,restart back into Normal Mode and Scan fresh with HijackThis and save that log.

Now,reactivate Tea Timer and reconnect your internet connection,you may want to go ahead and restart the machine once more to be sure Tea Timer is active.


Once ready,have the PC scanned here,please make sure you use Internet Explorer.
http://www.nanoscan.com/as/v1/principal.aspx

Be sure to save the results from the scan and post them along with the HijackThis log you saved.

#11 ProdigalCid

ProdigalCid
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles

Posted 10 October 2007 - 12:39 AM

I noticed something curious today. As I was about to reboot into safe mode to run HijackThis, I decided to double check and make sure that system restore was turned off. I opened the control panel...clicked on Performance & Maintenance...and when I tried to open System Restore, it wouldn't work. All I got was a message saying, "System Restore is not able to protect your computer. Please restart your computer, and then run system restore again."

I rebooted and tried again...and got the same thing.

So what I did was go into the Services folder in Admin. Tools...and disabled System Restore from the Properties sub-menu...I also noticed that the "Allow service to interact with Desktop" box was unchecked, so I checked it, thinking that might let me access System Restore the normal way. When I closed those windows and tried again from the control panel, I got the same error message again.

I go back into the services folder...and find that Sys. Restore is no longer disabled. Somehow it turned it (or something) turned it back on. I kept disabling it...it kept turning itself back on...till I got fed up and left it alone.

It's not supposed to be doing that, is it??

Anywhoos, Just something that caught my attention.

I did everything exactly as you instructed...except that my antivirus wouldn't let TotalScan install, so I had to nervously disable it while TotalScan was doing it's thing.

If I'm reading the logs correctly though, I don't think we had much luck. I am including 2 HijackThis logs so you can see the difference...one from just after the reboot back into normal mode...and the second from just now.





;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-10-09 21:49:09
PROTECTIONS: 0
MALWARE: 8
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Cid\Application Data\Mozilla\Firefox\Profiles\buk0hy9i.default\cookies.txt[.doubleclick.net/]
00145083 adware/mirar Adware No 1 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Cid\Application Data\Mozilla\Firefox\Profiles\buk0hy9i.default\cookies.txt[.tribalfusion.com/]
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_network_monitor
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice
00262492 Adware/CommAd Adware No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\SXNhdXJvIFBlcmV6IEpyLg\mrh1xrLSKI15wApdKHDVM0.vbs.vir
00278769 Application/PRScheduler HackTools No 0 Yes No C:\Documents and Settings\Cid\My Documents\Applications & Drivers\Hijackthis\backups\backup-20061126-113532-273-PowerReg Scheduler.exe
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\fixwareout\FindT\nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Cid\Desktop\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Cid\Desktop\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================





(HijackThis 7PM)
------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:08 PM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Analyze.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 5424 bytes






(HijackThis 10PM)
----------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:00 PM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Analyze.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {61C40A32-96F8-C82B-D7FA-CD6933DADBBE} - (no file)
O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: (no name) - {BED1413D-513A-47FC-9D0B-0B5F3F178C78} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\Cid\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7405 bytes

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2007 - 03:39 AM

Allright,now we are gonna have to uninstall Spybot for the time and try to repair System Restore,it will hopefully be a painless fix.

As you can see,Spybot is forcing registry snapshots when the system is booted normal.

So what I would like you to do,is uninstall Spybot and then reboot the machine,go to System Restore and see if will funtion properly now,post back and let me know and we wil go from there.

#13 ProdigalCid

ProdigalCid
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:01 AM

Posted 10 October 2007 - 02:42 PM

Uninstalled Spybot and rebooted.

System Restore still doing the same thing...cant access it normally and keeps reactivating itself when I disable it using the services window.

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2007 - 03:58 PM

Allrighty,lets have a peek at some settings in the registry please.


Create a new folder on the desktop.
Copy the contents of this next code box to Notepad.
Name the file inspect.bat
Save as Type: All files
Save in that new folder on the desktop.

Double click on inspect.bat and let it run.
When finished it will open a file in Notepad.
That file will be named lsa.txt
Please post the contents of lsa.txt into your next reply here.


If not exist Files MkDir Files


regedit /a /e files\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /a /e files\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /a /e files\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /a /e files\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /e /a files\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit /a /e files\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /a /e files\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
Regedit /a /e files\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e files\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
regedit /a /e files\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
regedit /a /e files\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess
regedit /a /e files\15.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\sr
regedit /a /e files\16.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\srservice


Copy files\*.txt = lsa.txt
rmdir /s /q files
Start Notepad lsa.txt


#15 ProdigalCid

ProdigalCid
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles

Posted 10 October 2007 - 05:49 PM

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
@=""
"NoDriveTypeAutoRun"=dword:000000ff
"NoCDBurning"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall]

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\OLE]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:000002c0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:7e,73,96,2d,2d,98,c2,25,3d,d3,2e,eb,ac,7a,39,cd,35,65,66,39,36,\
32,66,66,00,00,00,00,01,00,00,00,c4,01,00,00,c8,01,00,00,34,ca,06,00,45,9d,\
bf,71,04,00,00,00,10,00,00,00,00,00,00,00,8b,c0,d3,71

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:aa,41,83,67,9c,54,31,ac,79

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:f2,c9,e9,5a,8e,4d

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:48,57,a8,9b,06,b0,2e,90,da,85,9c,b6,95,bc,4d,36

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:46,dc,c9,e7,b1,63,c4,01

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,68,93,82,7d,4f,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,90,34,d6,42,4f,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,68,93,82,7d,4f,c2,01
"Type"=dword:00000031

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users