Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Toolbar 7.1 Removal


  • Please log in to reply
16 replies to this topic

#1 sra122

sra122

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 22 October 2007 - 09:00 PM

Please help with removal of the Security Toolbar 7.1 malware!

See hijackthis log below.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:43 PM, on 10/22/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\Explorer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Steve Adams\Application Data\Adobe\Acrobat\Distiller 5\acrotray.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Steve Adams\Desktop\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - C:\WINNT\system32\urqronl.dll
O2 - BHO: (no name) - {4C212937-4ED5-4554-8713-94FB320F122B} - C:\WINNT\system32\qommk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINNT\system32\ybqxfeld.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINNT\system32\czbvnjdf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINNT\system32\czbvnjdf.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINNT\system32\xlsecjey.dll",sitypnow
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Shortcut to acrotray.exe.lnk = C:\Documents and Settings\Steve Adams\Application Data\Adobe\Acrobat\Distiller 5\acrotray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.2.7.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/228940540415f2...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://taxdata.realtracs.net/RealEstate/ma...mgaxctrlv65.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123625938372
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EA4D0AF2-269B-45CB-B52F-C76A59E01919} (NrsMediaDownload Control) - http://www.nextradiosolutions.com/bellsout...diaDownload.ocx
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: czbvnjdf - C:\WINNT\SYSTEM32\czbvnjdf.dll
O20 - Winlogon Notify: urqronl - C:\WINNT\SYSTEM32\urqronl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 11985 bytes

Edited by sra122, 23 October 2007 - 03:23 PM.


BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:45 AM

Posted 23 October 2007 - 11:15 PM

Hi and welcome,

I need to look at another log please.
You got more troubles than "security toolbar" :thumbsup:

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

If your antivirus or firewall starts asking questions... let this app (and reg.exe) do what it wants. It is not malicious and changes are temporary.

Thanks.

One of the malwares present is a backdoor.
This allows unauthorised access by others to your PC.

http://www.sophos.com/virusinfo/analyses/w32rbotdpg.html

No doing any sensitive stuff like banking and such till cleaned up.

Keep it offline as much as possible till cleaned up.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 sra122

sra122
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 23 October 2007 - 11:39 PM

********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
Tue 10/23/2007 23:30:17.96

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 23:30:20
Windows 5.0.2195 Service Pack 4
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:45 AM

Posted 24 October 2007 - 12:06 AM

Hi,

Thanks for the log.

1. Download this file and save it to your desktop.

**Note: It is important that it is saved directly to, and run from your desktop**

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

a. Close any open browsers.

b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


2. Disconnect from internet. <-- Important!

Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 sra122

sra122
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 24 October 2007 - 12:34 AM

ComboFix 07-10-23.1 - Steve Adams 10/24/2007 0:11:14.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.308 [GMT -5:00]
Running from: C:\Documents and Settings\Steve Adams\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Steve Adams\Application Data\macromedia\Flash Player\#SharedObjects\S3JLEQPG\www.broadcaster.com
C:\Documents and Settings\Steve Adams\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Steve Adams\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Steve Adams\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Steve Adams\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Steve Adams\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\uninstall information
C:\Temp\fCOe
C:\WINNT\cookies.ini
C:\WINNT\system32\czbvnjdf.dllbox
C:\WINNT\system32\kmmoq.bak1
C:\WINNT\system32\kmmoq.bak2
C:\WINNT\system32\kmmoq.ini
C:\WINNT\system32\oTt02e
C:\WINNT\system32\pac.txt
C:\WINNT\system32\qommk.dll
C:\WINNT\system32\xlsecjey.dll
C:\WINNT\system32\ybqxfeld.dll
C:\WINNT\system32\yejceslx.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSDIRECTX
-------\LEGACY_NTNDIS


((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-24 00:19 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5ec.dat
2007-10-24 00:18 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_240.dat
2007-10-24 00:09 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-23 22:55 1,093,632 --a------ C:\WINNT\system32\mfc80.dll
2007-10-23 22:55 1,079,808 --a------ C:\WINNT\system32\mfc80u.dll
2007-10-23 22:55 69,632 --a------ C:\WINNT\system32\mfcm80.dll
2007-10-23 22:55 57,344 --a------ C:\WINNT\system32\mfcm80u.dll
2007-10-23 22:54 <DIR> d-------- C:\Documents and Settings\Steve Adams\Application Data\HouseCall 6.6
2007-10-23 21:38 84,544 --a------ C:\WINNT\system32\qaxbulcx.dll
2007-10-23 11:48 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-10-22 20:25 <DIR> d-------- C:\Deckard
2007-10-22 19:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-22 14:47 <DIR> d-------- C:\Documents and Settings\Steve Adams\.housecall6.6
2007-10-22 12:07 <DIR> d-------- C:\DrWatson
2007-10-22 08:46 1,152 --a------ C:\WINNT\system32\windrv.sys
2007-10-22 08:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-22 08:22 411,024 --a------ C:\Program Files\parental-setup.exe
2007-10-22 07:56 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2007-10-22 07:56 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-10-22 07:56 53,248 --a------ C:\WINNT\system32\Process.exe
2007-10-22 07:56 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-10-22 07:56 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2007-10-21 17:47 2,772 --a------ C:\WINNT\system32\tmp.reg
2007-10-21 15:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-21 14:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-20 19:12 340,032 --a------ C:\WINNT\system32\vdluriht.dll
2007-10-20 19:12 340,032 --a------ C:\WINNT\system32\czbvnjdf.dll
2007-10-19 19:06 34,304 --a------ C:\WINNT\system32\iifdcde.dll
2007-10-19 19:06 34,304 --a------ C:\WINNT\system32\byxywur.dll
2007-10-19 19:06 34,304 --a------ C:\WINNT\system32\awttsrr.dll
2007-10-19 19:05 34,304 --a------ C:\WINNT\system32\urqronl.dll
2007-10-18 23:25 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-10-18 23:25 548,864 --a------ C:\WINNT\system32\msvcp80.dll
2007-10-18 23:25 479,232 --a------ C:\WINNT\system32\msvcm80.dll
2007-10-18 11:37 <DIR> d-a------ C:\Program Files\vision-3.1.01192725420.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 05:08 --------- d-----w C:\Program Files\LogMeIn
2007-10-23 20:29 --------- d-----w C:\Program Files\AWS
2007-10-23 01:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-22 21:06 --------- d-----w C:\Program Files\SSC
2007-10-22 03:06 --------- d-----w C:\Program Files\AIM
2007-10-22 00:37 --------- d-----w C:\Program Files\iTunes
2007-10-21 19:48 --------- d-----w C:\Program Files\Google
2007-10-20 04:02 284 ----a-w C:\Documents and Settings\Steve Adams\Application Data\ViewerApp.dat
2007-10-17 21:17 --------- d-----w C:\Documents and Settings\Steve Adams\Application Data\gtk-2.0
2007-10-01 13:32 --------- d-----w C:\Program Files\eMusic Download Manager
2007-09-21 02:41 --------- d-----w C:\Program Files\NCH Swift Sound
2007-09-21 01:59 --------- d-----w C:\Program Files\Astonsoft
2007-09-20 19:15 --------- d-----w C:\Documents and Settings\Steve Adams\Application Data\DeepBurner
2007-09-16 12:55 --------- d-----w C:\Program Files\Apple Software Update
2007-09-08 00:43 --------- d-----w C:\Program Files\Virtools
2007-09-06 21:14 75,248 ----a-w C:\WINNT\zllsputility.exe
2007-09-06 21:14 1,086,952 ----a-w C:\WINNT\system32\zpeng24.dll
2007-09-06 20:02 --------- d-----w C:\Program Files\Java
2007-09-06 10:09 801,144 ----a-w C:\WINNT\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINNT\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-08-19 22:55 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
2007-08-19 22:55 596,992 ----a-w C:\WINNT\system32\INETCOMM.DLL
2007-08-19 22:55 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
2007-08-19 22:55 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL
2007-08-19 22:52 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
2007-08-17 06:48 448,272 ----a-w C:\WINNT\system32\oieng400.dll
2007-08-17 06:48 39,184 ----a-w C:\WINNT\system32\jpeg2x32.dll
2007-08-17 06:48 33,552 ----a-w C:\WINNT\system32\tifflt.dll
2007-08-07 14:58 702,480 ----a-w C:\Program Files\MoveMediaPlayer_07051001.exe
2007-07-31 03:21 2,126 ----a-w C:\sysaxpz.exe
2007-07-31 00:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINNT\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2006-04-28 01:52 2,506 ----a-w C:\Program Files\Ab LogFile.txt
2006-02-22 21:31 1,455,680 ----a-w C:\Program Files\procexp.exe
2006-02-11 15:22 1,969 ----a-w C:\Program Files\Eula.txt
2006-02-01 10:25 71,710 ----a-w C:\Program Files\procexp.chm
2005-09-16 00:25 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-07-15 00:16 9,568 ----a-w C:\Program Files\reflist.dll
2005-05-31 02:22 90,112 ----a-w C:\Program Files\AboutBuster.exe
2005-05-31 00:27 2,796 -c--a-w C:\Program Files\AboutBuster 5.0.txt
2004-10-19 21:45 4,479 -c--a-w C:\Program Files\ATT00007.txt
2004-10-19 21:45 153,438 ----a-w C:\Program Files\image.tif
2004-10-19 21:44 3,893 -c--a-w C:\Program Files\ATT00004.txt
2004-08-08 18:45 455,664 ----a-w C:\Program Files\audacity-manual-1.2.zip
2004-08-08 18:43 3,081,958 ----a-w C:\Program Files\audacity-win-1.2.1.exe
2004-08-04 17:42 17,729 ----a-w C:\Program Files\homestarrunnericons.zip
2004-05-14 04:28 607,672 ----a-w C:\Program Files\advisor.exe
2003-02-20 04:27 1,897,672 -c--a-w C:\Program Files\winzip81.exe
2002-09-13 23:05 271 ---h--w C:\Program Files\desktop.ini
2002-09-13 23:05 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2005-05-27 14:15:43 56 --sha-r C:\WINNT\system32\7763F18E97.sys
2005-05-27 14:15:49 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{232D2677-68EE-4FA1-B988-279EBC8969ED}]
07-10-19 19:05 34304 --a------ C:\WINNT\system32\urqronl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
07-10-20 19:12 340032 --a------ C:\WINNT\system32\czbvnjdf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINNT\system32\czbvnjdf.dll [07-10-20 19:12 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"Mozilla Firefox"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-09-22 12:39 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-09-06 05:06 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [07-04-17 14:03 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07-09-11 15:22 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-09-06 16:14 ]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"e83ef800"="C:\WINNT\system32\qaxbulcx.dll" [07-10-23 21:38 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Mozilla Firefox"=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{232D2677-68EE-4FA1-B988-279EBC8969ED}"= C:\WINNT\system32\urqronl.dll [07-10-19 19:05 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\czbvnjdf]
czbvnjdf.dll 07-10-20 19:12 340032 C:\WINNT\system32\czbvnjdf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqronl]
urqronl.dll 07-10-19 19:05 34304 C:\WINNT\system32\urqronl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\qommk.dll

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINNT\system32\drivers\LMIRfsDriver.sys
R3 lmimirr;lmimirr;C:\WINNT\system32\DRIVERS\lmimirr.sys
S4 mrtRate;mrtRate;C:\WINNT\system32\drivers\mrtRate.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 15:43:41 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-24 04:30:09 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\System32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 00:19:55
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 0:23:06 - machine was rebooted
.
--- E O F ---

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:45 AM

Posted 24 October 2007 - 01:10 AM

Okie... round 2!

I have attached a file called CFScript.txt.

The attached file is for this computer only! Using this script on another computer may cause damage!
Please download this file and save it to your desktop. It must be on the desktop to work!

Once saved; disconnect from internet again and shut down your antivirus/antispyware apps so they don't interfere.

Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please once you are restarted and back online.

let me know how machine is running.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 sra122

sra122
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 24 October 2007 - 01:25 AM

ComboFix 07-10-23.1 - Steve Adams 10/24/2007 1:06:36.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.342 [GMT -5:00]
Running from: C:\Documents and Settings\Steve Adams\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve Adams\Desktop\CFScript.txt

FILE::
C:\sysaxpz.exe
C:\WINNT\system32\awttsrr.dll
C:\WINNT\system32\byxywur.dll
C:\WINNT\system32\czbvnjdf.dll
C:\WINNT\system32\iifdcde.dll
C:\WINNT\system32\qaxbulcx.dll
C:\WINNT\system32\urqronl.dll
C:\WINNT\system32\vdluriht.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sysaxpz.exe
C:\WINNT\system32\awttsrr.dll
C:\WINNT\system32\byxywur.dll
C:\WINNT\system32\czbvnjdf.dll
C:\WINNT\system32\czbvnjdf.dllbox
C:\WINNT\system32\iifdcde.dll
C:\WINNT\system32\qaxbulcx.dll
C:\WINNT\system32\urqronl.dll
C:\WINNT\system32\vdluriht.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-24 01:12 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_574.dat
2007-10-24 01:11 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_234.dat
2007-10-24 00:09 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-23 22:55 1,093,632 --a------ C:\WINNT\system32\mfc80.dll
2007-10-23 22:55 1,079,808 --a------ C:\WINNT\system32\mfc80u.dll
2007-10-23 22:55 69,632 --a------ C:\WINNT\system32\mfcm80.dll
2007-10-23 22:55 57,344 --a------ C:\WINNT\system32\mfcm80u.dll
2007-10-23 22:54 <DIR> d-------- C:\Documents and Settings\Steve Adams\Application Data\HouseCall 6.6
2007-10-23 11:48 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-10-22 20:25 <DIR> d-------- C:\Deckard
2007-10-22 19:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-22 14:47 <DIR> d-------- C:\Documents and Settings\Steve Adams\.housecall6.6
2007-10-22 12:07 <DIR> d-------- C:\DrWatson
2007-10-22 08:46 1,152 --a------ C:\WINNT\system32\windrv.sys
2007-10-22 08:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-22 08:22 411,024 --a------ C:\Program Files\parental-setup.exe
2007-10-22 07:56 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2007-10-22 07:56 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-10-22 07:56 53,248 --a------ C:\WINNT\system32\Process.exe
2007-10-22 07:56 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-10-22 07:56 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2007-10-21 17:47 2,772 --a------ C:\WINNT\system32\tmp.reg
2007-10-21 15:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-21 14:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 23:25 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-10-18 23:25 548,864 --a------ C:\WINNT\system32\msvcp80.dll
2007-10-18 23:25 479,232 --a------ C:\WINNT\system32\msvcm80.dll
2007-10-18 11:37 <DIR> d-a------ C:\Program Files\vision-3.1.01192725420.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 05:08 --------- d-----w C:\Program Files\LogMeIn
2007-10-23 20:29 --------- d-----w C:\Program Files\AWS
2007-10-23 01:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-22 21:06 --------- d-----w C:\Program Files\SSC
2007-10-22 03:06 --------- d-----w C:\Program Files\AIM
2007-10-22 00:37 --------- d-----w C:\Program Files\iTunes
2007-10-21 19:48 --------- d-----w C:\Program Files\Google
2007-10-20 04:02 284 ----a-w C:\Documents and Settings\Steve Adams\Application Data\ViewerApp.dat
2007-10-17 21:17 --------- d-----w C:\Documents and Settings\Steve Adams\Application Data\gtk-2.0
2007-10-01 13:32 --------- d-----w C:\Program Files\eMusic Download Manager
2007-09-21 02:41 --------- d-----w C:\Program Files\NCH Swift Sound
2007-09-21 01:59 --------- d-----w C:\Program Files\Astonsoft
2007-09-20 19:15 --------- d-----w C:\Documents and Settings\Steve Adams\Application Data\DeepBurner
2007-09-16 12:55 --------- d-----w C:\Program Files\Apple Software Update
2007-09-08 00:43 --------- d-----w C:\Program Files\Virtools
2007-09-06 21:14 75,248 ----a-w C:\WINNT\zllsputility.exe
2007-09-06 20:02 --------- d-----w C:\Program Files\Java
2007-09-06 10:05 94,416 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-09-06 10:00 26,624 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-08-07 14:58 702,480 ----a-w C:\Program Files\MoveMediaPlayer_07051001.exe
2006-04-28 01:52 2,506 ----a-w C:\Program Files\Ab LogFile.txt
2006-02-22 21:31 1,455,680 ----a-w C:\Program Files\procexp.exe
2006-02-11 15:22 1,969 ----a-w C:\Program Files\Eula.txt
2006-02-01 10:25 71,710 ----a-w C:\Program Files\procexp.chm
2005-09-16 00:25 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-07-15 00:16 9,568 ----a-w C:\Program Files\reflist.dll
2005-05-31 02:22 90,112 ----a-w C:\Program Files\AboutBuster.exe
2005-05-31 00:27 2,796 -c--a-w C:\Program Files\AboutBuster 5.0.txt
2004-10-19 21:45 4,479 -c--a-w C:\Program Files\ATT00007.txt
2004-10-19 21:45 153,438 ----a-w C:\Program Files\image.tif
2004-10-19 21:44 3,893 -c--a-w C:\Program Files\ATT00004.txt
2004-08-08 18:45 455,664 ----a-w C:\Program Files\audacity-manual-1.2.zip
2004-08-08 18:43 3,081,958 ----a-w C:\Program Files\audacity-win-1.2.1.exe
2004-08-04 17:42 17,729 ----a-w C:\Program Files\homestarrunnericons.zip
2004-05-14 04:28 607,672 ----a-w C:\Program Files\advisor.exe
2003-02-20 04:27 1,897,672 -c--a-w C:\Program Files\winzip81.exe
2002-09-13 23:05 271 ---h--w C:\Program Files\desktop.ini
2002-09-13 23:05 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2005-05-27 14:15:43 56 --sha-r C:\WINNT\system32\7763F18E97.sys
2005-05-27 14:15:49 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"Mozilla Firefox"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-09-22 12:39 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-09-06 05:06 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [07-04-17 14:03 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07-09-11 15:22 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-09-06 16:14 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Mozilla Firefox"=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINNT\system32\drivers\LMIRfsDriver.sys
R3 lmimirr;lmimirr;C:\WINNT\system32\DRIVERS\lmimirr.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S3 USB_RNDIS_2K;Westell WireSpeed Dual Connect Modem;C:\WINNT\system32\DRIVERS\usb8023k.sys
S4 mrtRate;mrtRate;C:\WINNT\system32\drivers\mrtRate.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 15:43:41 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-24 04:30:09 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\System32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 01:13:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 1:15:32 - machine was rebooted
C:\ComboFix2.txt ... 07-10-24 00:23
.
--- E O F ---

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:45 AM

Posted 24 October 2007 - 01:45 AM

Hey,

Looks pretty darn good.
let's make sure there is nothing else floating around where combofix don't look.

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept"

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Post fresh hijackthis log too please.

If KAV scan has your email address plastered all through it or is too big to post... attach it please.
You should have the option below your post to manage attachments.
Browse> locate log> upload.

Don't delete anything KAV flags yet. It might flag your LogMeIn and a few files ComboFix dropped as "risk" items.
We'll clean up our tools when we know we are done.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:45 AM

Posted 24 October 2007 - 03:55 AM

Hey,

Once you do the KAV scan I wanna see a log from this as well too please.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open the extracted SDFix folder and double click RunThis.bat to start the script.

You will see several choices. (1,2,3,A,B,C,D,U,E)
We just want a log.

Type A & hit enter.
It will take a few minutes to complete the scan. Wait till the log pops up.

If your security programs ask you questions... allow SDFix to do what it wants. Any changes it makes at this stage are temporary and it is not malicious.

Post the C:\SystemReport.txt

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 sra122

sra122
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 24 October 2007 - 08:55 AM

Blender,

Here is the kapersky.txt file:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 24, 2007 8:45:57 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/10/2007
Kaspersky Anti-Virus database records: 443642
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 61729
Number of viruses found: 9
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 03:41:33

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\dlwixoql.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\dswtmhmj.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\efcgxlvu.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\exjegpqb.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\gitobxmn.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\lpllfrfy.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\mofugclq.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ngproxvf.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\peuagbsx.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\qrjatydi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\rhvqsuwb.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\sheqipoi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\urclqecd.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\vntmrykt.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\xqedqkpr.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ywuecxwm.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve Adams\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steve Adams\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Steve Adams\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Steve Adams\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Steve Adams\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Steve Adams\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve Adams\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve Adams\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve Adams\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve Adams\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve Adams\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Kerio Firewall\irelandlandscapes.exe Infected: not-a-virus:AdWare.Win32.Comet.bc skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\6681D9C9-0E5B-43C6-A463-DE1339\B86C1209-4481-42EF-A128-6B8A4E Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\qoobox\Quarantine\C\WINNT\system32\czbvnjdf.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\C\WINNT\system32\vdluriht.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\C\WINNT\system32\ybqxfeld.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aea skipped
C:\qoobox\Quarantine\catchme2007-10-24_ 11254.26.zip/czbvnjdf.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\catchme2007-10-24_ 11254.26.zip ZIP: infected - 1 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Downloaded Program Files\installer_PIVOTAL_5_DB.exe Infected: Trojan-Downloader.Win32.Adload.a skipped
C:\WINNT\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\STEVE.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\fpsvvm10.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINNT\system32\Perflib_Perfdata_234.dat Object is locked skipped
C:\WINNT\TEMP\ZLT00752.TMP Object is locked skipped
C:\WINNT\TEMP\ZLT00758.TMP Object is locked skipped
C:\WINNT\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

#11 sra122

sra122
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 24 October 2007 - 09:35 AM

Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:48 AM, on 10/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Steve Adams\Application Data\Adobe\Acrobat\Distiller 5\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Shortcut to acrotray.exe.lnk = C:\Documents and Settings\Steve Adams\Application Data\Adobe\Acrobat\Distiller 5\acrotray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.2.7.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/228940540415f2...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://taxdata.realtracs.net/RealEstate/ma...mgaxctrlv65.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123625938372
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EA4D0AF2-269B-45CB-B52F-C76A59E01919} (NrsMediaDownload Control) - http://www.nextradiosolutions.com/bellsout...diaDownload.ocx
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 10525 bytes

#12 sra122

sra122
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 24 October 2007 - 10:04 AM

Here is the SDfix log:


SDFix: Version 1.111

Run by Steve Adams on Wed 10/24/2007 at 9:41a

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\SYSTEM32\APD123.EXE - Deleted
C:\VDM7.TMP - Deleted



Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 27 May 2005 56 A.SHR --- "C:\WINNT\system32\7763F18E97.sys"
Fri 27 May 2005 1,682 A.SH. --- "C:\WINNT\system32\KGyGaAvL.sys"
Thu 3 Nov 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 26 Oct 2005 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Wed 26 Oct 2005 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sun 8 Oct 2006 19,968 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 5 Nov 2002 19,456 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0005.tmp"
Sun 21 Oct 2007 19,968 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0006.tmp"
Mon 8 Aug 2005 21,504 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0115.tmp"
Tue 5 Nov 2002 19,968 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0228.tmp"
Sun 8 Oct 2006 22,016 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0372.tmp"
Sun 8 Oct 2006 21,504 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0515.tmp"
Sun 8 Oct 2006 21,504 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0602.tmp"
Tue 5 Nov 2002 20,480 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL0978.tmp"
Sun 2 May 2004 19,968 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL1590.tmp"
Sun 8 Oct 2006 20,480 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL1598.tmp"
Sun 8 Oct 2006 20,992 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL1951.tmp"
Sun 21 Oct 2007 20,480 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL1991.tmp"
Sun 8 Oct 2006 24,064 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL2922.tmp"
Sun 8 Oct 2006 24,064 ...H. --- "C:\Documents and Settings\Steve Adams\Application Data\Microsoft\Word\~WRL2995.tmp"
Thu 3 Nov 2005 4,348 ...H. --- "C:\Documents and Settings\Steve Adams\My Documents\My Music\License Backup\drmv1key.bak"
Sat 30 Dec 2006 20 A..H. --- "C:\Documents and Settings\Steve Adams\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 29 Aug 2006 664 ...H. --- "C:\Documents and Settings\Steve Adams\My Documents\My Music\License Backup\drmv2key.bak"
Sat 30 Dec 2006 276,480 A..H. --- "C:\Documents and Settings\Steve Adams\My Documents\My Music\License Backup\drmv2lic.bak"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico1.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico10.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico11.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico2.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico3.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico4.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico46.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico47.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico48.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico5.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico6.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico614.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico615.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico616.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico617.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico618.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico63E.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico63F.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico640.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico641.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico642.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico7.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico8.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\ico9.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\icoA.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\icoB.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\icoC.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\icoD.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\icoE.tmp"
Mon 22 Oct 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071022202835\backup\DOCUME~1\STEVEA~1\LOCALS~1\Temp\icoF.tmp"

Finished!

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:45 AM

Posted 25 October 2007 - 01:45 AM

Hi,

Sorry for delay. I was doing service calls. -- still am lol
I think we're nearly there.

Copy the following text to a new notepad file.
Save as file name clean.bat
As file types: All files(*)
Save it to the desktop.

del C:\WINNT\system32\fpsvvm10.ini 
del "C:\WINNT\Downloaded Program Files\installer_PIVOTAL_5_DB.exe" 
del "C:\WINNT\Downloaded Program Files\popcaploader.dll" 
del "C:\Program Files\Kerio Firewall\irelandlandscapes.exe"

Once saved, double click it and let it run.
A "dos" box will flash up quick & be gone. This is normal.

Open Hijackthis, run system scan and check:

O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/228940540415f2...ip/RdxIE601.cab


Close all open windows and hit "fix checked"
OK the prompt and exit Hijackthis.

Reboot.

Post fresh Hijackthis log and let me know how system is running.
You can delete "clean.bat" off the desktop.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 sra122

sra122
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 25 October 2007 - 09:03 AM

Here is the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:55 AM, on 10/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Steve Adams\Application Data\Adobe\Acrobat\Distiller 5\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Shortcut to acrotray.exe.lnk = C:\Documents and Settings\Steve Adams\Application Data\Adobe\Acrobat\Distiller 5\acrotray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.2.7.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://taxdata.realtracs.net/RealEstate/ma...mgaxctrlv65.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123625938372
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EA4D0AF2-269B-45CB-B52F-C76A59E01919} (NrsMediaDownload Control) - http://www.nextradiosolutions.com/bellsout...diaDownload.ocx
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 10404 bytes

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:45 AM

Posted 25 October 2007 - 06:27 PM

Look OK.
Running OK?
Any remaining issues?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users