Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Spyware


  • Please log in to reply
4 replies to this topic

#1 oceanmaster66

oceanmaster66

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 03 December 2007 - 11:59 AM

My computer has the following message that has made itself the windows background that cannot be changed:

"Warning! Spyware threat has been detected on your PC

Your Computer has several fatal errors due to spyware activity.

Your IP address is #IP# and via this address an unauthorized access was gained by another computer. It is strongly recommended to install an antispyware software to close all security vulnerabilities."

Upon starting up I also get the following two message box pop-up:
1) Systemo0.exe
2) C:\program files\atenoxsd\itcvapmd.dll

The computer is unable to access the internet.

I followed through all the procedures for in the Preparation Guide (except the three that required online scanning), several infections were removed but I still have the background and no internet connection. I ran Hijack and the log file generated is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:00 AM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\__svchost.exe
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\KB_963493.exe
C:\WINDOWS\twain.exe
C:\WINDOWS\system32\wbem\csrss.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
E:\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {03E384D6-E1A7-792A-1851-0AC16EF38DE4} - C:\Program Files\Eelnrtdx\rfjrwfdd.dll (file missing)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {BF442538-BE32-4055-A549-2F3B699F55EB} - C:\WINDOWS\system32\aivskurq.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: Her - {C4DE5B15-4FFE-4c02-8CB3-CAD24A33562B} - C:\WINDOWS\system32\ramtmb.dll
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\system32\KB_963493.exe"
O4 - HKLM\..\Run: [Winupdates] systemo0.exe
O4 - HKLM\..\Run: [InstallShield Installation Information] C:\WINDOWS\twain.exe
O4 - HKLM\..\Run: [atenoxsd] rundll32.exe "C:\Program Files\atenoxsd\itcvapmd.dll",Init
O4 - HKLM\..\Run: [lqvchkjg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lqvchkjg.dll"
O4 - HKLM\..\Run: [vbxarxur] C:\Program Files\Zzizaosl\vbxarxur.exe
O4 - HKLM\..\Run: [Windows Update Check] C:\WINDOWS\system32\syslodr.exe
O4 - HKLM\..\Run: [hmjahcfo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hmjahcfo.dll"
O4 - HKLM\..\Run: [fkucspoi] C:\Program Files\Uyhoabsj\fkucspoi.exe
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A0BEB4C-2355-4AAC-BFF9-FD011523A95F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: extrac32.dll
O22 - SharedTaskScheduler: sdf4dr4gfdgeetj - {B5AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jkd845jg.dll (file missing)
O22 - SharedTaskScheduler: JGhjddf9dtj - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\system32\d4ghggf4g.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Microsoft Inet Service2 - Unknown owner - C:\WINDOWS\system32\__svchost.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7903 bytes

This is a server in an auto-body shop and re-installing XP and reconfiguring would be a major hassle. Any suggestion to remove this and restore the computer would be greatly appreciated.

Mike

BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:58 PM

Posted 03 December 2007 - 12:38 PM

Hi Oceanmaster66!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:58 PM

Posted 03 December 2007 - 01:06 PM

Hi!

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

* Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
* Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
* Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.
It's highly recommend to format your computer.
Remember, we can never be 100% sure that your computer is clean.


Here is first instructions for cleaning:

#1
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


#2
Please download Combofix to your desktop.
Doubleclick comboFix.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3
Please, post a fresh HijackThis log, Sdfix log and Combofix log back here :thumbsup:

ps. Do you have back ups of important data?
Posted Image

#4 oceanmaster66

oceanmaster66
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 03 December 2007 - 02:44 PM

Ok, I downloaded and ran the files you asked me to. Here are the results:

SDFix:

SDFix: Version 1.116

Run by installer on Mon 12/03/2007 at 02:08 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Driver
lanmandrv

Path:
\??\C:\WINDOWS\system32\kernelw.sys
\??\C:\WINDOWS\System32\lanmandrv.sys

Driver - Deleted
lanmandrv - Deleted



Infected ip6fw.sys Found!

ip6fw.sys File Locations:

"C:\WINDOWS\system32\dllcache\ip6fw.sys" 29056 08/04/2004 07:00 AM
"C:\WINDOWS\system32\drivers\ip6fw.sys" 29056 08/04/2004 07:00 AM

Infected File Listed Below:

C:\WINDOWS\system32\drivers\ip6fw.sys

Trojan File copied to Backups Folder
Attempting to replace ip6fw.sys with original version...

Original ip6fw.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service NdisWon - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\DRIVERS\IYQ64.SYS - Deleted
C:\WINDOWS\SYSTEM32\DRIVERS\PQHG46.SYS - Deleted
C:\WINDOWS\SYSTEM32\DRIVERS\SPB30.SYS - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\new_drv.sys - Deleted
C:\DOCUME~1\INSTAL~1\LOCALS~1\Temp\winsto.exe - Deleted
C:\DOCUME~1\INSTAL~1\LOCALS~1\Temp\xfdskef.tmp - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\mrofinu801.exe - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\3_exception.nls - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\aivskurq.dll - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\k.dat - Deleted
C:\WINDOWS\system32\kernelw.sys - Deleted
C:\WINDOWS\system32\koos.exe - Deleted
C:\WINDOWS\system32\lanmandrv.sys - Deleted
C:\WINDOWS\system32\lanmanwrk.exe - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\n.ini - Deleted
C:\WINDOWS\system32\n2.ini - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\qmopt.dll - Deleted
C:\WINDOWS\system32\ramtmb.dll - Deleted
C:\WINDOWS\system32\RunOnce2.t__ - Deleted
C:\WINDOWS\system32\RunOnce2.tmp - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\winupd_KB11505076.exe - Deleted
C:\WINDOWS\system32\winupd_KB17836474.exe - Deleted
C:\WINDOWS\system32\winupd_KB21677000.exe - Deleted
C:\WINDOWS\system32\winupd_KB34040802.exe - Deleted
C:\WINDOWS\system32\winupd_KB34216966.exe - Deleted
C:\WINDOWS\system32\winupd_KB77119758.exe - Deleted
C:\WINDOWS\system32\winupd_KB92380205.exe - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\WINDOWS\system32\drivers\NdisWon.sys - Deleted



Folder C:\Documents and Settings\All Users\Documents\Settings - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 14:19:18
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Hdei40]
"Type"=dword:00000001
"Tag"=dword:00000004
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Arp1349]
"ErrorControl"=dword:00000000
"Start"=dword:00000002
"Group"="SCSI miniport"
"Tag"=dword:00000055
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hdei40]
"Type"=dword:00000001
"Tag"=dword:00000004
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Hdei40]
"Type"=dword:00000001
"Tag"=dword:00000004
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""

scanning hidden files ...

C:\WINDOWS\system32\drivers\Hdei40.sys 183808 bytes executable
C:\WINDOWS\system32\drivers\symavc32.sys 179200 bytes executable
C:\WINDOWS\system32\kdzkp.exe 72237 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 2
hidden files: 3


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"c:\\windows\\system32\\systemo0.exe"="c:\\windows\\system32\\systemo0.exe:*:Enabled:systemo0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 12 Nov 2004 37,376 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!

ComboFix:

ComboFix 07-12-02.7 - installer 2007-12-03 14:24:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.678 [GMT -5:00]
Running from: E:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\installer\Local Settings\Application Data.\n.ini
C:\Documents and Settings\installer\Local Settings\Application Data\n.ini
C:\Documents and Settings\installer\temp.tpk
C:\Documents and Settings\Rob Janus\temp.tpk
C:\Documents and Settings\Scott.GBSERVER\Application Data\wsnpoem
C:\Documents and Settings\Scott.GBSERVER\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\Scott.GBSERVER\Local Settings\Application Data\n.ini
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\100996265.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\dlsjcaqn
C:\WINDOWS\system32\dlsjcaqn\bg1.gif
C:\WINDOWS\system32\dlsjcaqn\bgtop.gif
C:\WINDOWS\system32\dlsjcaqn\bottom1.gif
C:\WINDOWS\system32\dlsjcaqn\dlsjcaqn1.exe
C:\WINDOWS\system32\dlsjcaqn\dlsjcaqn2.exe
C:\WINDOWS\system32\dlsjcaqn\dlsjcaqn3.exe
C:\WINDOWS\system32\dlsjcaqn\essentials.gif
C:\WINDOWS\system32\dlsjcaqn\icon1.ico
C:\WINDOWS\system32\dlsjcaqn\install1.gif
C:\WINDOWS\system32\dlsjcaqn\left1.gif
C:\WINDOWS\system32\dlsjcaqn\li.gif
C:\WINDOWS\system32\dlsjcaqn\logo.gif
C:\WINDOWS\system32\dlsjcaqn\main.htm
C:\WINDOWS\system32\dlsjcaqn\mainframe.htm
C:\WINDOWS\system32\dlsjcaqn\reinstall1.gif
C:\WINDOWS\system32\dlsjcaqn\right1.gif
C:\WINDOWS\system32\dlsjcaqn\s1.htm
C:\WINDOWS\system32\dlsjcaqn\s2.htm
C:\WINDOWS\system32\dlsjcaqn\s3.htm
C:\WINDOWS\system32\dlsjcaqn\SMTop1.gif
C:\WINDOWS\system32\dlsjcaqn\SMTop2.gif
C:\WINDOWS\system32\dlsjcaqn\SMTop3.gif
C:\WINDOWS\system32\dlsjcaqn\SMTop4.gif
C:\WINDOWS\system32\dlsjcaqn\soft1_off.gif
C:\WINDOWS\system32\dlsjcaqn\soft1_off_ext.gif
C:\WINDOWS\system32\dlsjcaqn\soft1_on.gif
C:\WINDOWS\system32\dlsjcaqn\soft1_on_ext.gif
C:\WINDOWS\system32\dlsjcaqn\soft2_off.gif
C:\WINDOWS\system32\dlsjcaqn\soft2_off_ext.gif
C:\WINDOWS\system32\dlsjcaqn\soft2_on.gif
C:\WINDOWS\system32\dlsjcaqn\soft2_on_ext.gif
C:\WINDOWS\system32\dlsjcaqn\soft3_off.gif
C:\WINDOWS\system32\dlsjcaqn\soft3_off_ext.gif
C:\WINDOWS\system32\dlsjcaqn\soft3_on.gif
C:\WINDOWS\system32\dlsjcaqn\soft3_on_ext.gif
C:\WINDOWS\system32\dlsjcaqn\softbottom_off.gif
C:\WINDOWS\system32\dlsjcaqn\softbottom_on.gif
C:\WINDOWS\system32\dlsjcaqn\softleft_off.gif
C:\WINDOWS\system32\dlsjcaqn\softleft_on.gif
C:\WINDOWS\system32\dlsjcaqn\top1.gif
C:\WINDOWS\system32\dlsjcaqn\top2.gif
C:\WINDOWS\system32\dlsjcaqn\turnoff1.gif
C:\WINDOWS\system32\dlsjcaqn\turnon1.gif
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\HDEI40.sys
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\KB_963493.exe
C:\WINDOWS\system32\kdzkp.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\pgd.dll
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\update266.exe
C:\WINDOWS\system32\update275.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32runonce2.t__
C:\WINDOWS\system32runonce2.tm_
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DRIVER
-------\LEGACY_HDEI40
-------\LEGACY_LANMANDRV
-------\LEGACY_NEW_DRV
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2


((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-03 14:32 . 2007-12-03 14:36 <DIR> d-------- C:\Program Files\p2pnetworks
2007-12-03 14:32 . 2007-12-03 14:36 <DIR> d-------- C:\Program Files\e-zshopper
2007-12-03 14:32 . 2007-12-03 14:36 <DIR> d-------- C:\Program Files\amsys
2007-12-03 14:32 . 2007-12-03 14:36 <DIR> d-------- C:\Program Files\akl
2007-12-03 14:32 . 2007-12-03 14:36 <DIR> d-------- C:\Program Files\Accoona
2007-12-03 14:32 . 2007-12-03 14:36 <DIR> d-------- C:\Program Files\3721
2007-12-03 14:08 . 2007-12-03 14:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-03 11:35 . 2007-12-03 11:35 <DIR> d-------- C:\Documents and Settings\installer\Application Data\MailFrontier
2007-12-03 10:45 . 2007-12-03 10:45 25,088 --a------ C:\WINDOWS\system32\ace16win.dll
2007-12-03 10:45 . 2007-12-03 10:45 18,688 --a------ C:\WINDOWS\aconti.ini
2007-12-03 10:45 . 2007-12-03 10:45 15,360 --a------ C:\WINDOWS\aconti.sdb
2007-12-01 17:50 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-01 09:35 . 2007-12-01 09:35 <DIR> d-------- C:\Documents and Settings\installer\Application Data\Lavasoft
2007-12-01 09:34 . 2007-12-01 09:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-01 09:30 . 2007-12-03 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-01 09:11 . 2007-12-01 09:11 512 --a------ C:\ScanSectorLog.dat
2007-11-28 13:09 . 2007-11-28 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 13:01 . 2007-11-28 13:01 6,144 --a------ C:\WINDOWS\system32\__svchost.exe
2007-11-17 11:44 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-11-17 11:43 . 2007-11-17 11:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-17 11:11 . 2007-11-17 11:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 08:25 . 2007-11-12 13:35 18,432 --a------ C:\WINDOWS\fkwggshm.exe
2007-11-12 08:15 . 2007-11-13 08:45 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-11-12 08:09 . 2007-12-03 14:32 1,671 --a------ C:\WINDOWS\default.htm
2007-11-12 08:08 . 2007-11-12 08:08 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-11-12 08:08 . 2007-11-12 08:08 19,456 --a------ C:\WINDOWS\absolute key logger.lnk
2007-11-12 07:47 . 2007-11-12 07:47 125,447 --a------ C:\WINDOWS\system32\vvgeowbv.exe
2007-11-12 07:47 . 2007-11-12 07:47 15,360 --a------ C:\WINDOWS\twain.exe
2007-11-12 07:47 . 2007-11-12 07:47 10,240 --a------ C:\WINDOWS\system32\npdl.exe
2007-11-12 07:47 . 2007-11-12 07:47 4,096 --a------ C:\WINDOWS\system32\extrac32.dll
2007-11-12 07:47 . 2007-11-12 07:47 29 --a------ C:\WINDOWS\system32\tqtggagt.tmp
2007-11-12 07:47 . 2007-11-12 07:47 12 --a------ C:\WINDOWS\system32\din.ip
2007-11-12 07:47 . 2007-11-12 07:47 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-11-12 07:46 . 2007-11-12 07:46 53,248 --a------ C:\WINDOWS\system32\systemo0.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 19:33 41,684 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-03 19:33 3,585,824 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-03 19:31 9,728 ----a-w C:\WINDOWS\system32\wml.exe
2007-12-03 19:31 9,472 ----a-w C:\WINDOWS\liqad.exe
2007-12-03 19:31 8,960 ----a-w C:\WINDOWS\xadbrk_.exe
2007-12-03 19:31 8,448 ----a-w C:\WINDOWS\kvnab$.exe
2007-12-03 19:31 32,768 ----a-w C:\WINDOWS\system32\msole32.exe
2007-12-03 19:31 32,512 ----a-w C:\WINDOWS\daxtime.dll
2007-12-03 19:31 31,744 ----a-w C:\WINDOWS\iexplorr23.dll
2007-12-03 19:31 31,232 ----a-w C:\WINDOWS\kvnab.exe
2007-12-03 19:31 31,232 ----a-w C:\WINDOWS\adbar.dll
2007-12-03 19:31 30,464 ----a-w C:\WINDOWS\kkcomp.dll
2007-12-03 19:31 30,464 ----a-w C:\WINDOWS\kkcomp$.exe
2007-12-03 19:31 28,416 ----a-w C:\WINDOWS\liqad.dll
2007-12-03 19:31 28,160 ----a-w C:\WINDOWS\system32\vxddsk.exe
2007-12-03 19:31 27,648 ----a-w C:\WINDOWS\pbar.dll
2007-12-03 19:31 27,136 ----a-w C:\WINDOWS\ngd.dll
2007-12-03 19:31 26,880 ----a-w C:\WINDOWS\jd2002.dll
2007-12-03 19:31 26,368 ----a-w C:\WINDOWS\xxxvideo.exe
2007-12-03 19:31 26,368 ----a-w C:\WINDOWS\flt.dll
2007-12-03 19:31 24,064 ----a-w C:\WINDOWS\xadbrk.exe
2007-12-03 19:31 23,808 ----a-w C:\WINDOWS\vxddsk.exe
2007-12-03 19:31 23,040 ----a-w C:\WINDOWS\liqui-Uninstaller.exe
2007-12-03 19:31 22,528 ----a-w C:\WINDOWS\wbeInst$.exe
2007-12-03 19:31 22,016 ----a-w C:\WINDOWS\settn.dll
2007-12-03 19:31 22,016 ----a-w C:\WINDOWS\7search.dll
2007-12-03 19:31 21,760 ----a-w C:\WINDOWS\wml.exe
2007-12-03 19:31 21,760 ----a-w C:\WINDOWS\ie_32.exe
2007-12-03 19:31 21,504 ----a-w C:\WINDOWS\pbsysie.dll
2007-12-03 19:31 20,992 ----a-w C:\WINDOWS\hcwprn.exe
2007-12-03 19:31 20,736 ----a-w C:\WINDOWS\spredirect.dll
2007-12-03 19:31 18,176 ----a-w C:\WINDOWS\kvnab.dll
2007-12-03 19:31 17,920 ----a-w C:\WINDOWS\wbeCheck.exe
2007-12-03 19:31 17,920 ----a-w C:\WINDOWS\liqui.exe
2007-12-03 19:31 16,640 ----a-w C:\WINDOWS\cbinst$.exe
2007-12-03 19:31 15,616 ----a-w C:\WINDOWS\liqad$.exe
2007-12-03 19:31 15,360 ----a-w C:\WINDOWS\xadbrk.dll
2007-12-03 19:31 14,336 ----a-w C:\WINDOWS\hotporn.exe
2007-12-03 19:31 14,336 ----a-w C:\WINDOWS\fhfmm-Uninstaller.exe
2007-12-03 19:31 14,080 ----a-w C:\WINDOWS\fhfmm.exe
2007-12-03 19:31 12,800 ----a-w C:\WINDOWS\kkcomp.exe
2007-12-03 19:31 12,544 ----a-w C:\WINDOWS\dp0.dll
2007-12-03 19:31 11,776 ----a-w C:\WINDOWS\liqui.dll
2007-12-03 19:31 11,264 ----a-w C:\WINDOWS\system32\ESHOPEE.exe
2007-12-03 19:31 10,496 ----a-w C:\WINDOWS\aconti.exe
2007-12-03 19:31 10,240 ----a-w C:\WINDOWS\eventlowg.dll
2007-12-03 19:29 21,504 ----a-w C:\WINDOWS\764.exe
2007-12-01 14:18 5,180 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-01 14:18 44,832 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-01 14:14 77,765 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_01_09_12_33_small.dmp.zip
2007-11-17 16:52 86,483 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_17_11_07_49_small.dmp.zip
2007-11-14 21:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 13:51 20,298,471 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_13_08_44_03_full.dmp.zip
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 16:33 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-12 16:33 --------- d-----w C:\Documents and Settings\installer\Application Data\SUPERAntiSpyware.com
2007-05-15 15:50 20,246,997 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_15_11_47_27_full.dmp.zip
2007-05-14 10:46 3,072 ----a-w C:\Documents and Settings\greg\keylog.dll
2006-12-28 22:12 130,327 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_20_20_56_25_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03E384D6-E1A7-792A-1851-0AC16EF38DE4}]
C:\Program Files\Eelnrtdx\rfjrwfdd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF442538-BE32-4055-A549-2F3B699F55EB}]
C:\WINDOWS\system32\aivskurq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 06:26]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"InstallShield Installation Information"="C:\WINDOWS\twain.exe" [2007-11-12 07:47]
"vbxarxur"="C:\Program Files\Zzizaosl\vbxarxur.exe" []
"fkucspoi"="C:\Program Files\Uyhoabsj\fkucspoi.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 13:52]

C:\Documents and Settings\installer\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 13:15:48]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-06-07 11:35 319488 --a------ C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
2005-01-17 01:43 84480 -ra------ C:\WINDOWS\system32\nvraidservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
2005-03-18 18:17 98304 -ra------ C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Restore Operation]
C:\DOCUME~1\INSTAL~1\LOCALS~1\Temp\svchots.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2005-10-21 14:13 163840 --a------ C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunOnce2Upd]
C:\WINDOWS\system32\KB_963493.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soft2]
2007-05-10 15:19 468503 --a------ C:\WINDOWS\98594000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ttool]
C:\WINDOWS\9129837.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"RoxWatch"=2 (0x2)
"RoxMediaDB"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"Diskeeper"=2 (0x2)

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys
S2 Microsoft Inet Service2;Microsoft Inet Service2;C:\WINDOWS\system32\__svchost.exe -A

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 14:37:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 14:38:00 - machine was rebooted
.
--- E O F ---

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:49 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\twain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {03E384D6-E1A7-792A-1851-0AC16EF38DE4} - C:\Program Files\Eelnrtdx\rfjrwfdd.dll (file missing)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {BF442538-BE32-4055-A549-2F3B699F55EB} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [InstallShield Installation Information] C:\WINDOWS\twain.exe
O4 - HKLM\..\Run: [vbxarxur] C:\Program Files\Zzizaosl\vbxarxur.exe
O4 - HKLM\..\Run: [fkucspoi] C:\Program Files\Uyhoabsj\fkucspoi.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A0BEB4C-2355-4AAC-BFF9-FD011523A95F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Microsoft Inet Service2 - Unknown owner - C:\WINDOWS\system32\__svchost.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6416 bytes

I look forward to hearing from you

Mike

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:58 PM

Posted 06 December 2007 - 03:13 PM

Hi!

#1

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\9129837.exe
C:\WINDOWS\98594000.exe
C:\WINDOWS\system32\KB_963493.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.sdb
C:\WINDOWS\system32\__svchost.exe
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\npdl.exe
C:\WINDOWS\system32\tqtggagt.tmp
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\liqad.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\ngd.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\wml.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\spredirect.dll
C:\WINDOWS\kvnab.dll
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\liqui.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\764.exe
C:\Documents and Settings\greg\keylog.dll
C:\WINDOWS\system32\aivskurq.dll
C:\DOCUME~1\INSTAL~1\LOCALS~1\Temp\svchots.exe

Folder::
C:\Program Files\p2pnetworks
C:\Program Files\e-zshopper
C:\Program Files\amsys
C:\Program Files\akl
C:\Program Files\Accoona
C:\Program Files\3721
C:\WINDOWS\system32\acespy
C:\Program Files\Zzizaosl
C:\Program Files\Uyhoabsj
C:\Program Files\Eelnrtdx

Driver::
Microsoft Inet Service2

Collect::[29]
C:\WINDOWS\system32\extrac32.dll
C:\WINDOWS\system32\systemo0.exe
C:\WINDOWS\system32\drivers\Hdei40.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\kdzkp.exe

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"c:\\windows\\system32\\systemo0.exe"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"vbxarxur"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"fkucspoi"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Hdei40]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Arp1349]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hdei40]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Hdei40]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Restore Operation]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunOnce2Upd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soft2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ttool]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03E384D6-E1A7-792A-1851-0AC16EF38DE4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF442538-BE32-4055-A549-2F3B699F55EB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
With the above script, ComboFix will capture a file to submit for analysis.
Ensure you are connected to the internet and click OK.
A browser will open. Simply follow the instructions to copy/paste/send the requested file.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


#2
Please download FixWareout from one of these mirrors:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

#3
I would also like you to do the following:
  • Please click Start > Run > and copy&paste the text with blue color into the runbox: regedit /e c:\fix.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID"
  • Click OK
  • Now go to C:\ right-click on the file fix.reg , select Open With and choose Notepad.
  • Now please copy the contents of that file in your next reply.
#4
Please visit Virustotal
  • Click the Browse... button
  • Navigate to the file C:\WINDOWS\twain.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here
#5
Please do the following...

Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
AVG Anti-Spyware
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.

#7
Please, post a fresh HijackThis log, Combofix log, Fixwareout log, AVG Anti-Spyware results, contents of Fix.reg and Virutotal results :thumbsup:

Edited by Baabiouz, 06 December 2007 - 03:53 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users