Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help..my Computer Is Infected With Pcsecuritylab...


  • Please log in to reply
32 replies to this topic

#1 hazrae

hazrae

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 01 November 2007 - 12:31 PM

Goodafternoon.

I turned on my computer this morning, all was well. Then i looked over, and the screen was black with red writing "warning! spyware threat as been detected on your PC", then something about an IP address. Then there's the PCsecuritylab website that opens with IE. and then the constant warnings from the task bar. I've seen that other people have suffered with the same symptoms. Though I noticed the solutions have been different, so I thought I'd register for an account and post my problem.

I've run adware and spybot already. And deleted all temp. internet files, etc, then rebooted. Here is the hijackthis report after all that: (PLEASE HELP)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:38 PM, on 11/1/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\vvgeowbv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\1C25216D.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\msiexec.exe
C:\HiJackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\vvgeowbv.exe,C:\WINNT\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINNT\system32\aivskurq.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B75A92-92BE-438F-9E40-02804A33685D}: NameServer = 192.168.10.1
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7441 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 01 November 2007 - 06:35 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum hazrae :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to its own permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help with the above,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 hazrae

hazrae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 02 November 2007 - 07:40 AM

Hi Richie. Glad you will be helping me through this.

I was able to download SDFix.exe and save it to my desktop. I have a question though before I proceed...

You say to "Double click on SDFix on your desktop, and install the fix to C:\".....well I double clicked and the files that came up were:

catchme.exe
runthis.bat
SDFIX_ReadMe_Online

I guess I was expecting to see another file by the name of "fix". Did I misunderstand this ? Should I install the SDFix program again, except this time to the C:\ ?

Please forgive me if I'm being 'slow' with this....I'm new at the troubleshooting, and I certainly don't want to do something wrong and crash a computer.

Thanks.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 02 November 2007 - 12:12 PM

Should I install the SDFix program again, except this time to the C:\ ?

Yes,you've got it :thumbsup:
Posted Image
Posted Image

#5 hazrae

hazrae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 02 November 2007 - 01:03 PM

Ok then, here is the contents of the report.txt file after completing runthis.bat:
(next is combofix)

SDFix: Version 1.113

Run by KG on Fri 11/02/2007 at 1:39p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\SYSTEM32\NEWLWX~2.XML - Deleted
C:\WINNT\SYSTEM32\NEWLWX~3.XML - Deleted
C:\a.bat - Deleted
C:\WINNT\system32\aivskurq.dll - Deleted
C:\WINNT\system32\TFTP904 - Deleted



Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 13:51:48
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 7 Dec 1999 94,784 A.SH. --- "C:\WINNT\twain.dll"
Tue 7 Dec 1999 44,816 A.SH. --- "C:\WINNT\twain_32.dll"
Thu 19 Jun 2003 1,015,859 A.SH. --- "C:\WINNT\system32\mfc42.dll"
Tue 7 Dec 1999 77,878 A.SH. --- "C:\WINNT\system32\msvcirt.dll"
Thu 19 Jun 2003 286,773 A.SH. --- "C:\WINNT\system32\msvcrt.dll"
Thu 19 Jun 2003 11,024 A.SH. --- "C:\WINNT\system32\REGSVR32.EXE"
Mon 27 Oct 2003 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 11 Oct 2007 990,064 A..H. --- "C:\WINNT\SoftwareDistribution\Download\0d732ebe15b870e86c6ce7278ac2080d\BIT4.tmp"
Fri 17 Aug 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\2fe4dde7e03d8584bf981ae00706abb4\BITA.tmp"
Wed 5 Sep 2007 4,189,088 A..H. --- "C:\WINNT\SoftwareDistribution\Download\551b954f7af1f36041afc38d8a673653\BITB.tmp"
Thu 11 Oct 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\dd79700b10fc91e28da66374abc2301c\BIT5.tmp"
Sat 28 Jul 2007 4,189,088 A..H. --- "C:\WINNT\SoftwareDistribution\Download\f2308b950e7dc2f6acf19c3af4f8d7c9\BITD.tmp"
Tue 22 Apr 2003 27,136 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Templates\~WRL0945.tmp"
Tue 29 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL0003.tmp"
Mon 2 Feb 2004 27,648 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL0004.tmp"
Fri 5 Dec 2003 19,456 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL0005.tmp"
Fri 5 Dec 2003 58,880 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL0411.tmp"
Fri 5 Dec 2003 57,856 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL1276.tmp"
Fri 5 Dec 2003 54,784 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL1771.tmp"
Thu 4 Mar 2004 169,984 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL2551.tmp"
Fri 5 Dec 2003 56,320 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL2857.tmp"
Thu 4 Mar 2004 169,984 ...H. --- "C:\Documents and Settings\KG\Application Data\Microsoft\Word\~WRL4065.tmp"

Finished!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 02 November 2007 - 01:24 PM

Now follow the Combofix instructions then please.
Posted Image
Posted Image

#7 hazrae

hazrae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 02 November 2007 - 02:04 PM

ok, I hope I did this part right. I got blocked by Norton (as you said may happen) and I had to start again.
Let me know if I'm missing something. Thank you so much.





ComboFix 07-11-02.3 - KG 2007-11-02 14:42:16.2 - NTFSx86
Running from: C:\Documents and Settings\KG\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINNT\764.exe
C:\WINNT\7search.dll
C:\WINNT\aconti.exe
C:\WINNT\adbar.dll
C:\WINNT\cbinst$.exe
C:\WINNT\daxtime.dll
C:\WINNT\dp0.dll
C:\WINNT\eventlowg.dll
C:\WINNT\fhfmm-Uninstaller.exe
C:\WINNT\fhfmm.exe
C:\WINNT\flt.dll
C:\WINNT\hcwprn.exe
C:\WINNT\hotporn.exe
C:\WINNT\ie_32.exe
C:\WINNT\iexplorr23.dll
C:\WINNT\jd2002.dll
C:\WINNT\kkcomp$.exe
C:\WINNT\kkcomp.dll
C:\WINNT\kkcomp.exe
C:\WINNT\kvnab$.exe
C:\WINNT\kvnab.dll
C:\WINNT\kvnab.exe
C:\WINNT\liqad$.exe
C:\WINNT\liqad.dll
C:\WINNT\liqad.exe
C:\WINNT\liqui-Uninstaller.exe
C:\WINNT\liqui.dll
C:\WINNT\liqui.exe
C:\WINNT\ngd.dll
C:\WINNT\pbar.dll
C:\WINNT\pbsysie.dll
C:\WINNT\settn.dll
C:\WINNT\spredirect.dll
C:\WINNT\system32\ESHOPEE.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\vxddsk.exe
C:\WINNT\system32\wml.exe
C:\WINNT\vxddsk.exe
C:\WINNT\wbeCheck.exe
C:\WINNT\wbeInst$.exe
C:\WINNT\wml.exe
C:\WINNT\xadbrk.dll
C:\WINNT\xadbrk.exe
C:\WINNT\xadbrk_.exe
C:\WINNT\xxxvideo.exe
.
---- Previous Run -------
.
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Installer\bin\siuninst.exe
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\SurfAccuracy
C:\Program Files\SurfAccuracy\sacc.cfg
C:\Program Files\SurfAccuracy\sacc.cfg.39a58859764f9c014ac682f005052694
C:\WINNT\764.exe
C:\WINNT\7search.dll
C:\WINNT\aconti.exe
C:\WINNT\adbar.dll
C:\WINNT\bobsaver.exe
C:\WINNT\bobsaver.scr
C:\WINNT\cbinst$.exe
C:\WINNT\daxtime.dll
C:\WINNT\dp0.dll
C:\WINNT\eventlowg.dll
C:\WINNT\fhfmm-Uninstaller.exe
C:\WINNT\fhfmm.exe
C:\WINNT\flt.dll
C:\WINNT\hcwprn.exe
C:\WINNT\hotporn.exe
C:\WINNT\ie_32.exe
C:\WINNT\iexplorr23.dll
C:\WINNT\jd2002.dll
C:\WINNT\kkcomp$.exe
C:\WINNT\kkcomp.dll
C:\WINNT\kkcomp.exe
C:\WINNT\kvnab$.exe
C:\WINNT\kvnab.dll
C:\WINNT\kvnab.exe
C:\WINNT\liqad$.exe
C:\WINNT\liqad.dll
C:\WINNT\liqad.exe
C:\WINNT\liqui-Uninstaller.exe
C:\WINNT\liqui.dll
C:\WINNT\liqui.exe
C:\WINNT\ngd.dll
C:\WINNT\pbar.dll
C:\WINNT\pbsysie.dll
C:\WINNT\settn.dll
C:\WINNT\spredirect.dll
C:\WINNT\system32\3B0877A3.DLL
C:\WINNT\system32\582457C9.EXE
C:\WINNT\system32\drivers\blank.gif
C:\WINNT\system32\drivers\box_1.gif
C:\WINNT\system32\drivers\box_2.gif
C:\WINNT\system32\drivers\box_3.gif
C:\WINNT\system32\drivers\button_buynow.gif
C:\WINNT\system32\drivers\button_freescan.gif
C:\WINNT\system32\drivers\cell_bg.gif
C:\WINNT\system32\drivers\cell_footer.gif
C:\WINNT\system32\drivers\cell_header_block.gif
C:\WINNT\system32\drivers\cell_header_remove.gif
C:\WINNT\system32\drivers\cell_header_scan.gif
C:\WINNT\system32\drivers\detect.htm
C:\WINNT\system32\drivers\download_box.gif
C:\WINNT\system32\drivers\download_btn.jpg
C:\WINNT\system32\drivers\download_now_btn.gif
C:\WINNT\system32\drivers\footer_back.jpg
C:\WINNT\system32\drivers\header_1.gif
C:\WINNT\system32\drivers\header_2.gif
C:\WINNT\system32\drivers\header_3.gif
C:\WINNT\system32\drivers\header_4.gif
C:\WINNT\system32\drivers\header_red_bg.gif
C:\WINNT\system32\drivers\header_red_free_scan.gif
C:\WINNT\system32\drivers\header_red_free_scan_bg.gif
C:\WINNT\system32\drivers\header_red_protect_your_pc.gif
C:\WINNT\system32\drivers\infected.gif
C:\WINNT\system32\drivers\main_back.gif
C:\WINNT\system32\drivers\perfect_cleaner_box.jpg
C:\WINNT\system32\drivers\product_1_header.gif
C:\WINNT\system32\drivers\product_1_name_small.gif
C:\WINNT\system32\drivers\product_2_header.gif
C:\WINNT\system32\drivers\product_2_name_small.gif
C:\WINNT\system32\drivers\product_3_header.gif
C:\WINNT\system32\drivers\product_3_name_small.gif
C:\WINNT\system32\drivers\product_features.gif
C:\WINNT\system32\drivers\pt.htm
C:\WINNT\system32\drivers\rating.gif
C:\WINNT\system32\drivers\s_detect.htm
C:\WINNT\system32\drivers\screenshot.jpg
C:\WINNT\system32\drivers\sep_hor.gif
C:\WINNT\system32\drivers\sep_vert.gif
C:\WINNT\system32\drivers\shadow.jpg
C:\WINNT\system32\drivers\shadow_bg.gif
C:\WINNT\system32\drivers\spacer.gif
C:\WINNT\system32\drivers\spy_away_box.jpg
C:\WINNT\system32\drivers\star.gif
C:\WINNT\system32\drivers\star_gray.gif
C:\WINNT\system32\drivers\star_gray_small.gif
C:\WINNT\system32\drivers\star_small.gif
C:\WINNT\system32\drivers\style.css
C:\WINNT\system32\drivers\v.gif
C:\WINNT\system32\drivers\warning_icon.gif
C:\WINNT\system32\drivers\win_logo.gif
C:\WINNT\system32\drivers\x.gif
C:\WINNT\system32\ESHOPEE.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\nusrmgr.exe
C:\WINNT\system32\vxddsk.exe
C:\WINNT\system32\wml.exe
C:\WINNT\vxddsk.exe
C:\WINNT\wbeCheck.exe
C:\WINNT\wbeInst$.exe
C:\WINNT\wml.exe
C:\WINNT\xadbrk.dll
C:\WINNT\xadbrk.exe
C:\WINNT\xadbrk_.exe
C:\WINNT\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-02 14:06 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-02 13:38 <DIR> d-------- C:\WINNT\ERUNT
2007-11-02 13:14 1,210,084 --a------ C:\SDFix.exe
2007-11-02 08:47 18,432 --a------ C:\WINNT\fkwggshm.exe
2007-11-02 06:37 <DIR> d-------- C:\HJT
2007-11-01 08:43 4 --a------ C:\WINNT\system32\stfv.bin
2007-11-01 07:28 <DIR> d-------- C:\WINNT\system32\acespy
2007-11-01 07:28 26,880 --a------ C:\WINNT\system32\ace16win.dll
2007-11-01 07:07 12 --a------ C:\WINNT\system32\dpqaqlqx.bin
2007-11-01 07:03 123,911 --a------ C:\WINNT\system32\vvgeowbv.exe
2007-11-01 07:01 0 --a------ C:\WINNT\jcc.exe
2007-11-01 06:59 28,167 --a------ C:\WINNT\bze.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 19:40 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-02 11:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 13:00 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2007-10-12 12:07 --------- d-----w C:\Program Files\BUSINESS CONNECT
2007-09-28 17:21 52,560 ----a-w C:\WINNT\FireFoxUpdater.exe
2007-09-25 19:58 1,965 ----a-w C:\mightyerobladelist.dat
2007-09-24 18:13 144,231 ----a-w C:\mightylistandjobber3.dat
2007-09-24 18:11 352,783 ----a-w C:\mightylistandjobber2.dat
2007-09-24 18:09 393,393 ----a-w C:\mightylistandjobber1.dat
2007-09-24 17:53 144,231 ----a-w C:\mightylist3.dat
2007-09-24 17:32 352,783 ----a-w C:\mightylist2.dat
2007-09-24 17:26 393,393 ----a-w C:\mightylist1.dat
2007-09-07 17:45 --------- d-----w C:\Documents and Settings\KG\Application Data\BVS Solitaire Collection
2007-09-06 19:10 68 ----a-w C:\ff.bat
2007-09-06 19:10 57 ----a-w C:\run.vbs
2007-09-06 15:36 --------- d-----w C:\Documents and Settings\KG\Application Data\Yahoo!
2004-02-11 16:16 66,743 -c--a-w C:\Program Files\TT99.pdf
2003-03-11 13:23 97 -c--a-w C:\Program Files\mighty_log.txt
2003-01-07 12:45 16,384 -c--a-w C:\Program Files\New Customers and Customer Upgrades.xls
2002-10-28 18:31 271 -c-h--w C:\Program Files\desktop.ini
2002-10-28 18:31 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 18:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 02:53 99,840 -c--a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 -c--a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 -c--a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 -c--a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 -c--a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 -c--a-w C:\Program Files\Common Files\IRASRIAL.DLL
1999-12-07 18:00:00 94,784 -csha-w C:\WINNT\twain.dll
1999-12-07 18:00:00 44,816 -csha-w C:\WINNT\twain_32.dll
2003-06-19 19:05:04 1,015,859 --sha-w C:\WINNT\system32\mfc42.dll
1999-12-07 18:00:00 77,878 --sha-w C:\WINNT\system32\msvcirt.dll
2003-06-19 19:05:04 286,773 --sha-w C:\WINNT\system32\msvcrt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [07-05-25 07:40 ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [04-02-18 12:55 ]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe" [04-03-04 10:46 ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [03-12-22 08:38 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\KG\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-03-19 17:08:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Dataviz Messenger.lnk - C:\WINNT\DvzCommon\DvzMsgr.exe [2003-02-06 19:06:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 10:36:08]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [2005-01-26 18:07:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalUserRun"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINNT\\system32\\vvgeowbv.exe,C:\\WINNT\\system32\\userinit.exe"


*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-03-17 01:00:01 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2007-11-02 19:52:09 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 14:52:24
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 14:55:08 - machine was rebooted
.
--- E O F ---

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 02 November 2007 - 04:18 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINNT\jcc.exe
C:\WINNT\bze.exe
C:\WINNT\fkwggshm.exe
C:\WINNT\system32\stfv.bin
C:\WINNT\system32\ace16win.dll
C:\WINNT\system32\dpqaqlqx.bin
C:\WINNT\system32\vvgeowbv.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,"
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#9 hazrae

hazrae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 02 November 2007 - 04:27 PM

ok will do. I'll let you know on Monday with the results. can't thank you enough. have a good weekend.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 02 November 2007 - 04:42 PM

Ok hazrae,thanks for the update,have a great weekend too :thumbsup:
Posted Image
Posted Image

#11 hazrae

hazrae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 05 November 2007 - 08:24 AM

Hello.
Ok, so we are back at this again. After following your last instructions, here is the log from combofix:


ComboFix 07-11-02.3 - KG 11/05/2007 9:03:57.3 - NTFSx86
Running from: C:\Documents and Settings\KG\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KG\Desktop\CFScript.txt

FILE::
C:\WINNT\bze.exe
C:\WINNT\fkwggshm.exe
C:\WINNT\jcc.exe
C:\WINNT\system32\ace16win.dll
C:\WINNT\system32\dpqaqlqx.bin
C:\WINNT\system32\stfv.bin
C:\WINNT\system32\vvgeowbv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\bze.exe
C:\WINNT\jcc.exe
C:\WINNT\system32\ace16win.dll
C:\WINNT\system32\dpqaqlqx.bin
C:\WINNT\system32\stfv.bin
C:\WINNT\system32\vvgeowbv.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-02 14:06 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-02 13:38 <DIR> d-------- C:\WINNT\ERUNT
2007-11-02 13:14 1,210,084 --a------ C:\SDFix.exe
2007-11-02 06:37 <DIR> d-------- C:\HJT
2007-11-01 07:28 <DIR> d-------- C:\WINNT\system32\acespy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 13:00 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2007-11-02 19:40 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-02 18:45 17,920 ----a-w C:\WINNT\system32\1C25216D.exe
2007-11-02 11:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-12 12:07 --------- d-----w C:\Program Files\BUSINESS CONNECT
2007-09-28 17:21 52,560 ----a-w C:\WINNT\FireFoxUpdater.exe
2007-09-25 19:58 1,965 ----a-w C:\mightyerobladelist.dat
2007-09-24 18:13 144,231 ----a-w C:\mightylistandjobber3.dat
2007-09-24 18:11 352,783 ----a-w C:\mightylistandjobber2.dat
2007-09-24 18:09 393,393 ----a-w C:\mightylistandjobber1.dat
2007-09-24 17:53 144,231 ----a-w C:\mightylist3.dat
2007-09-24 17:32 352,783 ----a-w C:\mightylist2.dat
2007-09-24 17:26 393,393 ----a-w C:\mightylist1.dat
2007-09-07 17:45 --------- d-----w C:\Documents and Settings\KG\Application Data\BVS Solitaire Collection
2007-09-06 19:10 68 ----a-w C:\ff.bat
2007-09-06 19:10 57 ----a-w C:\run.vbs
2007-09-06 15:36 --------- d-----w C:\Documents and Settings\KG\Application Data\Yahoo!
2004-02-11 16:16 66,743 -c--a-w C:\Program Files\TT99.pdf
2003-03-11 13:23 97 -c--a-w C:\Program Files\mighty_log.txt
2003-01-07 12:45 16,384 -c--a-w C:\Program Files\New Customers and Customer Upgrades.xls
2002-10-28 18:31 271 -c-h--w C:\Program Files\desktop.ini
2002-10-28 18:31 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 18:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 02:53 99,840 -c--a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 -c--a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 -c--a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 -c--a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 -c--a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 -c--a-w C:\Program Files\Common Files\IRASRIAL.DLL
1999-12-07 18:00:00 94,784 -csha-w C:\WINNT\twain.dll
1999-12-07 18:00:00 44,816 -csha-w C:\WINNT\twain_32.dll
2003-06-19 19:05:04 1,015,859 --sha-w C:\WINNT\system32\mfc42.dll
1999-12-07 18:00:00 77,878 --sha-w C:\WINNT\system32\msvcirt.dll
2003-06-19 19:05:04 286,773 --sha-w C:\WINNT\system32\msvcrt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [07-05-25 07:40 ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [04-02-18 12:55 ]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe" [04-03-04 10:46 ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [03-12-22 08:38 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\KG\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-03-19 17:08:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Dataviz Messenger.lnk - C:\WINNT\DvzCommon\DvzMsgr.exe [2003-02-06 19:06:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 10:36:08]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [2005-01-26 18:07:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalUserRun"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINNT\\system32\\vvgeowbv.exe,C:\\WINNT\\system32\\userinit.exe"

R0 ultra66;ultra66;C:\WINNT\system32\DRIVERS\ultra66.sys
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
R3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINNT\system32\Drivers\NPDRIVER.SYS
S2 72820326;72820326;C:\WINNT\system32\582457C9.EXE -a
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-03-17 01:00:01 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2007-11-05 14:17:39 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 09:15:41
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 9:19:01 - machine was rebooted
C:\ComboFix2.txt ... 07-11-02 14:55
.
--- E O F ---



And here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:34 AM, on 11/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\msiexec.exe
C:\HJT\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B75A92-92BE-438F-9E40-02804A33685D}: NameServer = 192.168.10.1
O23 - Service: 72820326 - Unknown owner - C:\WINNT\system32\582457C9.EXE (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5471 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 05 November 2007 - 02:26 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"=-
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"


Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
72820326
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
72820326
Right click on it 'Delete'.
Then restart your pc.


Have Hijack This fix the following if still present,by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O23 - Service: 72820326 - Unknown owner - C:\WINNT\system32\582457C9.EXE (file missing)

Exit Hijackthis.


Enable the viewing of hidden files and folders,reverse the process when you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

I now need you to do the following if you will:

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINNT\system32\1C25216D.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINNT\system32\1C25216D.exe
Then click on 'Send File'.
Post the results into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.

Edited by RichieUK, 05 November 2007 - 03:40 PM.

Posted Image
Posted Image

#13 hazrae

hazrae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 05 November 2007 - 02:49 PM

I think i've run into a problem. I copied and pasted your text into fix.reg and merged the info and restarted the computer. except when it came back on and it wants me to log onto windows, I choose our usual username, and it looks as if it's loading personal settings, but never gets to the desktop. it goes back to the user name log in box. no matter how many times i say "ok", it goes back to the log in screen. I even shut it down and restarted it, and it does the same thing. keep in mind we are running windows 2000 on this. But this is not good, seems like it's a never ending cyle that's going nowhere. have any ideas ?

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 05 November 2007 - 03:02 PM

Thats odd,are you sure you copied the entire text in the quote box:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"=-
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"

Is there any chance you did'nt copy it all,and only copied the following,because that would explain it:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"=-


If you have the Windows 2000 Professional installation disk,do a Repair Install.
http://www.windows2000.windowsreinstall.com/Repair/

Edited by RichieUK, 05 November 2007 - 03:41 PM.

Posted Image
Posted Image

#15 hazrae

hazrae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 05 November 2007 - 03:03 PM

I'm almost positive I copied the whole thing.....though at this point, there really is no way to tell.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users