Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan


  • This topic is locked This topic is locked
23 replies to this topic

#1 daazndrgon

daazndrgon

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 09 January 2008 - 06:53 PM

I posted a topic 11 days ago and still haven't got help so I'm posting it again just in case you guys missed it. I ran Kaspersky and it found all these files infected with trojan-dropper.win32. There was this popup that keeps telling me I had trojandownloader.xs and it changed my wallpaper and there was a message that said my computer was infected with spyware. It locked my task manager but I downloaded a program that fixed it. I also can't open msconfig. It says windows cannot find msconfig when i run it. I had this popup whenever i turn on my computer and it says microsoft visual c++ runtime library error. My computer also freezes sometimes when i minimize something and my desktop and taskbar disappears. Quietman7 told me to go to this link and follow all the steps but whenever i open up Stinger it keeps freezing at the raid.exe. I also skipped the windows update. I couldn't install the zonealarm firewall either, when i try to open it a message pops up and says the application failed to initialize propely (0xc0000142). Click on OK to terminate the application. This happens when i try to update it. Quietman7 told me to post here after I followed all the steps and skip the ones I couldn't do. I ran scans from kaspersky, adaware, spybot search & destroy, housecall, panda, and bit defender and they all found viruses and malware but it couldn't delete them. I ran HJT and chose the do a system scan and save a logfile option. I also have other logs saved if you would like to see them. And also my system idle process is staying at 99% while the cpu usage % is different. Can anyone please help me??
Here is the most current HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:45 PM, on 1/9/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\System32\mlljh.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49b70fbe-b42a-4d4d-8afb-6a69d1f92a1f} - C:\WINDOWS\system32\comdro.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: CIEIntegrator Object - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - C:\Program Files\SpyGuardPro\Tools\pblock.dll (file missing)
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\SpyGuardPro\Tools\sbiebho.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {DEB2C398-20AC-447C-B224-FF34C1D8B58B} - C:\WINDOWS\System32\mlljh.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iurrkxw] c:\windows\system32\fzwpaen.exe r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SNM] C:\Documents and Settings\Quiet Boy\Desktop\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SpyGuardPro] C:\Program Files\SpyGuardPro\pgs.exe
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\SpyGuardPro\ptask.exe
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [bm(2)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [bm(3)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [bm(4)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [bm(5)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [bm(6)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [juddpa] C:\WINDOWS\System32\juddpa.exe
O4 - HKCU\..\Run: [Cocw] "C:\WINDOWS\System32\FNTS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Vacvqwwt] C:\WINDOWS\system32\?ystem32\?vchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [ctzfndp] C:\WINDOWS\System32\ctzfndp.exe
O4 - HKCU\..\Policies\Explorer\Run: [juddpa] C:\WINDOWS\System32\juddpa.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163120314999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163643999063
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: comdro - comdro.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11092 bytes

Edited by daazndrgon, 09 January 2008 - 07:00 PM.


BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:11 AM

Posted 20 January 2008 - 03:51 AM

Hello daazndrgon and welcome to BC :thumbsup:

Sorry for the late reply, but as you can see we handle more than our fair share of logs. If you still have problems please post a fresh HijackThis log and we can begin the cleaning process.

Regards,
SNOWHITE
Posted Image

#3 daazndrgon

daazndrgon
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 20 January 2008 - 09:49 PM

Hey Snowhite, here is the new HJT log you asked for.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:14 PM, on 1/20/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\System32\mlljh.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49b70fbe-b42a-4d4d-8afb-6a69d1f92a1f} - C:\WINDOWS\system32\comdro.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: CIEIntegrator Object - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - C:\Program Files\SpyGuardPro\Tools\pblock.dll (file missing)
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\SpyGuardPro\Tools\sbiebho.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {DEB2C398-20AC-447C-B224-FF34C1D8B58B} - C:\WINDOWS\System32\mlljh.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iurrkxw] c:\windows\system32\fzwpaen.exe r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SNM] C:\Documents and Settings\Quiet Boy\Desktop\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SpyGuardPro] C:\Program Files\SpyGuardPro\pgs.exe
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\SpyGuardPro\ptask.exe
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [bm(2)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [bm(3)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [bm(4)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [bm(5)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [bm(6)] "C:\Program Files\Common Files\SpyGuardPro\bm .exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [juddpa] C:\WINDOWS\System32\juddpa.exe
O4 - HKCU\..\Run: [Cocw] "C:\WINDOWS\System32\FNTS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Vacvqwwt] C:\WINDOWS\system32\?ystem32\?vchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [ctzfndp] C:\WINDOWS\System32\ctzfndp.exe
O4 - HKCU\..\Policies\Explorer\Run: [juddpa] C:\WINDOWS\System32\juddpa.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163120314999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163643999063
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: comdro - comdro.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11121 bytes

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:11 AM

Posted 20 January 2008 - 10:21 PM

Hello again daazndrgon :thumbsup:

One of the infection you have is replacing legit files with infected causing some of the programs you have not to work properly. We can fix this, but you might need to uninstall and reinstall some of the programs after we clean the computer.

Please follow the steps below exactly in the order they are written:

A guide and tutorial on using ComboFix can be found at the following link http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
Post back with combofix report and new Hijackthis log.

Regards,
SNOWHITE
Posted Image

#5 daazndrgon

daazndrgon
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 20 January 2008 - 11:44 PM

Hello Snowhite, I didn't know how to disable my zonealarm firewall so I put it on game mode and clicked on answer all alerts with allow and my AVG anti-virus couldn't launch the control center either but I still ran the combofix scan. Here you go:

ComboFix 08-01-20.1 - Quiet Boy 2008-01-20 20:27:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.242 [GMT -8:00]
Running from: C:\Documents and Settings\Quiet Boy\My Documents\Shared\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Quiet Boy\Application Data\SpyGuardPro
C:\Documents and Settings\Quiet Boy\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\Quiet Boy\Application Data\SpyGuardPro\Logs\update.log
C:\SpyGuardPro
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 20:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 17:43 . 2008-01-18 17:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 17:43 . 2008-01-18 17:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 23:38 . 2008-01-10 23:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Xfire
2008-01-10 21:33 . 2008-01-11 15:19 <DIR> d---s---- C:\Program Files\Xfire
2008-01-10 21:33 . 2008-01-12 01:20 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Xfire
2008-01-09 21:56 . 2008-01-09 21:56 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-01-05 20:39 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qcankwepqbhx.sys
2008-01-01 18:02 . 2008-01-01 18:02 32 --a------ C:\WINDOWS\go
2008-01-01 16:49 . 2008-01-01 16:51 <DIR> d-------- C:\WINDOWS\Caps
2008-01-01 16:48 . 2008-01-01 16:48 <DIR> d-------- C:\Program Files\RapidLeecher Ultimate 2007
2007-12-31 22:13 . 2007-12-31 22:13 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Grisoft
2007-12-31 22:12 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-31 19:36 . 2007-09-22 13:20 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-29 20:36 . 2007-12-29 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 13:33 . 2007-12-29 13:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 13:30 . 2008-01-20 18:39 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-29 13:30 . 2007-12-29 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-29 13:30 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-29 13:30 . 2008-01-16 18:06 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-29 13:29 . 2008-01-20 20:26 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-29 11:25 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-29 01:16 . 2008-01-05 21:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-29 01:16 . 2008-01-05 20:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-29 01:16 . 2008-01-05 20:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-29 01:16 . 2008-01-05 20:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-28 20:21 . 2007-12-28 20:21 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Media Player Classic
2007-12-28 20:20 . 2007-12-28 20:20 <DIR> d-------- C:\Program Files\Ringz Studio
2007-12-28 19:56 . 2007-12-28 19:56 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2007-12-28 19:56 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax
2007-12-28 19:44 . 2007-12-29 16:36 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-28 18:02 . 2007-12-28 18:02 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-27 21:11 . 2007-12-27 21:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-27 21:10 . 2007-12-27 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 21:10 . 2007-12-27 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-27 19:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-27 19:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-27 19:36 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-27 19:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-27 19:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-27 18:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 18:42 . 2007-12-27 18:43 <DIR> d-------- C:\Documents and Settings\Quiet Boy\.SunDownloadManager
2007-12-27 02:20 . 2007-12-29 19:29 69,632 --a------ C:\WINDOWS\SOUNDMAN .EXE
2007-12-27 00:30 . 2007-12-27 22:06 212,992 --a------ C:\WINDOWS\troy44 .exe
2007-12-27 00:30 . 2007-12-27 19:44 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-27 00:22 . 2007-12-27 00:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-12-26 22:38 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-26 22:38 . 2007-12-26 22:38 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-26 22:35 . 2007-12-27 21:32 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-26 22:35 . 2007-12-27 21:32 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-26 22:35 . 2007-12-29 21:18 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-26 22:35 . 2007-12-29 11:56 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-26 22:35 . 2007-12-26 22:35 <DIR> d-------- C:\Temp\cEeer12

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 03:39 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\AVG7
2008-01-12 09:21 471,552 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-10 08:32 322,048 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-06 05:03 --------- d-----w C:\Program Files\iTunes
2008-01-02 00:09 82,538 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_01_15_56_39_small.dmp.zip
2008-01-02 00:09 69,687 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_01_15_55_52_small.dmp.zip
2008-01-01 02:01 --------- d-----w C:\Program Files\QuickTime
2007-12-30 04:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-28 03:18 --------- d-----w C:\Program Files\Java
2007-12-13 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 05:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 23:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-08 04:08 --------- d-----w C:\Program Files\Alwil Software
2007-12-08 02:38 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\Yahoo!
2007-12-08 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-02 03:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 03:41 --------- d-----w C:\Program Files\NHN USA
2007-11-30 06:58 --------- d--h--w C:\Documents and Settings\Quiet Boy\Application Data\ijjigame
2007-11-30 06:53 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\InstallShield
2007-11-30 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\IJJIGame
2007-11-30 03:42 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\Move Networks
.
<pre>
----a-w		   344,064 2007-12-30 03:30:01  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   368,706 2007-12-30 03:30:01  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w		   271,672 2007-12-30 03:30:03  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			36,975 2007-12-28 02:26:13  C:\Program Files\Java\jre1.5.0_02\bin\jusched .exe
----a-w		   132,496 2007-12-30 03:30:05  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 1,077,277 2007-12-28 02:57:15  C:\Program Files\Messenger\msmsgs .exe
----a-w			26,112 2007-12-28 03:22:31  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w			97,357 2007-12-29 08:31:23  C:\Program Files\Ringz Studio\Storm Codec\StormSet .exe
----a-w		   380,928 2007-12-30 03:29:58  C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB .exe
----a-w		   185,456 2007-12-30 03:29:58  C:\Program Files\Yahoo!\Antivirus\CAVRID .exe
----a-w		   230,512 2007-12-30 03:30:01  C:\Program Files\Yahoo!\Antivirus\CAVTray .exe
----a-w		   129,536 2007-12-30 03:29:52  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w		   407,032 2007-12-29 08:35:42  C:\Program Files\Yahoo!\YOP\yop .exe
----a-w		   919,016 2007-12-30 03:25:12  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w			69,632 2007-12-30 03:29:53  C:\WINDOWS\SOUNDMAN .EXE
----a-w		   212,992 2007-12-28 06:06:19  C:\WINDOWS\troy44 .exe
----a-w		   155,648 2007-12-28 03:44:06  C:\WINDOWS\system32\NeroCheck .exe
----a-w		   196,608 2007-12-28 06:06:02  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49b70fbe-b42a-4d4d-8afb-6a69d1f92a1f}]
C:\WINDOWS\system32\comdro.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E}]
C:\Program Files\SpyGuardPro\Tools\pblock.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}]
C:\Program Files\SpyGuardPro\Tools\sbiebho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEB2C398-20AC-447C-B224-FF34C1D8B58B}]
C:\WINDOWS\System32\mlljh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"juddpa"="C:\WINDOWS\System32\juddpa.exe" [ ]
"Cocw"="C:\WINDOWS\System32\FNTS~1\wuauboot.exe" [ ]
"Vacvqwwt"="C:\WINDOWS\system32\?ystem32\?vchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [ ]
"iurrkxw"="c:\windows\system32\fzwpaen.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe" [ ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"SNM"="C:\Documents and Settings\Quiet Boy\Desktop\SpyNoMore\SNM.exe" [ ]
"ugac"="C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe" [ ]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 20:14 271672]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 20:37 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-06-03 16:51:20 217088]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ctzfndp"= C:\WINDOWS\System32\ctzfndp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"juddpa"= C:\WINDOWS\System32\juddpa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comdro]
comdro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\mlljh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-12-29 00:20 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44]
C:\WINDOWS\troy44.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
--a------ 2007-12-27 22:06 212992 C:\WINDOWS\troy44 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
C:\WINDOWS\troy44 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{57-73-3A-A9-ZN}]
C:\Documents and Settings\Quiet Boy\Local Settings\Temp\T0CHD001 .exe

R0 viamraid;viamraid;C:\WINDOWS\System32\DRIVERS\viamraid.sys [2004-03-28 21:45]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 11:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
- C:\Program Files\AdwareAlert
"2007-12-24 22:12:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 20:34:59
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 20:37:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 04:37:02
.
2008-01-11 03:21:34 --- E O F ---

_____________________________________________________________________________________________________________________________
And here is the Hijackthis log also:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:58 PM, on 1/20/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49b70fbe-b42a-4d4d-8afb-6a69d1f92a1f} - C:\WINDOWS\system32\comdro.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: CIEIntegrator Object - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - C:\Program Files\SpyGuardPro\Tools\pblock.dll (file missing)
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\SpyGuardPro\Tools\sbiebho.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {DEB2C398-20AC-447C-B224-FF34C1D8B58B} - C:\WINDOWS\System32\mlljh.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iurrkxw] c:\windows\system32\fzwpaen.exe r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SNM] C:\Documents and Settings\Quiet Boy\Desktop\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe" -start
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [juddpa] C:\WINDOWS\System32\juddpa.exe
O4 - HKCU\..\Run: [Cocw] "C:\WINDOWS\System32\FNTS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Vacvqwwt] C:\WINDOWS\system32\?ystem32\?vchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [ctzfndp] C:\WINDOWS\System32\ctzfndp.exe
O4 - HKCU\..\Policies\Explorer\Run: [juddpa] C:\WINDOWS\System32\juddpa.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163120314999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163643999063
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: comdro - comdro.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9663 bytes

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:11 AM

Posted 21 January 2008 - 04:12 AM

Hello daazndrgon,

I recommend that you install Recovery Console on your computer. Please follow the steps described on this page How to install and use the Windows XP Recovery Console, then follow the steps below:

Please follow the steps below exactly in the order they are written:


Open notepad and copy/paste the text in the code below into it:

File::
C:\WINDOWS\system32\comdro.dll
C:\WINDOWS\troy44.exe
C:\WINDOWS\troy44 .exe
C:\WINDOWS\System32\mlljh.dll
C:\WINDOWS\System32\ctzfndp.exe
C:\WINDOWS\System32\juddpa.exe
C:\Documents and Settings\Quiet Boy\Local Settings\Temp\T0CHD001 .exe

Folder::
C:\WINDOWS\system32\to9
C:\WINDOWS\system32\dj2
C:\WINDOWS\system32\bbc9
C:\WINDOWS\system32\ardCo02
C:\Temp\cEeer12

Suspect::[29]
C:\WINDOWS\system32\drivers\qcankwepqbhx.sys
C:\WINDOWS\go

DirLook::
C:\WINDOWS\Caps

RenV::
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\BroadJump\Client Foundation\CFD .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\Program Files\Ringz Studio\Storm Codec\StormSet .exe
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB .exe
C:\Program Files\Yahoo!\Antivirus\CAVRID .exe
C:\Program Files\Yahoo!\Antivirus\CAVTray .exe
C:\Program Files\Yahoo!\browser\ybrwicon .exe
C:\Program Files\Yahoo!\YOP\yop .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\WINDOWS\SOUNDMAN .EXE
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03 .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49b70fbe-b42a-4d4d-8afb-6a69d1f92a1f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEB2C398-20AC-447C-B224-FF34C1D8B58B}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"juddpa"=-
"Cocw"=-
"Vacvqwwt"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iurrkxw"=-
"ugac"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comdro]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{57-73-3A-A9-ZN}]

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
Once the file has been submitted, please DELETE both files on your desktop.

Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)
Regards,
SNOWHITE
Posted Image

#7 daazndrgon

daazndrgon
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 22 January 2008 - 05:06 PM

Hello again Snowhite, I couldn't install the windows xp recovery console because I don't have the CD and also combofix only made the Submit [Date Time].zip folder and not the CF-Submit.htm one. Below are the combofix and hijackthis logs :

ComboFix 08-01-20.1 - Quiet Boy 2008-01-22 13:55:49.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.181 [GMT -8:00]
Running from: C:\Documents and Settings\Quiet Boy\My Documents\Shared\ComboFix.exe
Command switches used :: C:\Documents and Settings\Quiet Boy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Quiet Boy\Local Settings\Temp\T0CHD001 .exe
C:\WINDOWS\system32\comdro.dll
C:\WINDOWS\System32\ctzfndp.exe
C:\WINDOWS\System32\juddpa.exe
C:\WINDOWS\System32\mlljh.dll
C:\WINDOWS\troy44 .exe
C:\WINDOWS\troy44.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-20 20:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 23:38 . 2008-01-10 23:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Xfire
2008-01-10 21:33 . 2008-01-11 15:19 <DIR> d---s---- C:\Program Files\Xfire
2008-01-10 21:33 . 2008-01-12 01:20 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Xfire
2008-01-09 21:56 . 2008-01-09 21:56 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-01-05 20:39 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qcankwepqbhx.sys
2008-01-01 18:02 . 2008-01-01 18:02 32 --a------ C:\WINDOWS\go
2008-01-01 16:49 . 2008-01-01 16:51 <DIR> d-------- C:\WINDOWS\Caps
2008-01-01 16:48 . 2008-01-01 16:48 <DIR> d-------- C:\Program Files\RapidLeecher Ultimate 2007
2007-12-31 22:13 . 2007-12-31 22:13 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Grisoft
2007-12-31 22:12 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-31 19:36 . 2007-09-22 13:20 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-29 20:36 . 2007-12-29 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 13:33 . 2007-12-29 13:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 13:30 . 2008-01-22 13:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-29 13:30 . 2007-12-29 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-29 13:30 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-29 13:30 . 2008-01-16 18:06 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-29 13:29 . 2008-01-22 13:52 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-29 11:25 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-29 01:16 . 2008-01-05 21:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-29 01:16 . 2008-01-05 20:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-29 01:16 . 2008-01-05 20:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-29 01:16 . 2008-01-05 20:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-28 20:21 . 2007-12-28 20:21 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Media Player Classic
2007-12-28 20:20 . 2007-12-28 20:20 <DIR> d-------- C:\Program Files\Ringz Studio
2007-12-28 19:56 . 2007-12-28 19:56 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2007-12-28 19:56 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax
2007-12-28 19:44 . 2007-12-29 16:36 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-28 18:02 . 2007-12-28 18:02 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-27 21:11 . 2007-12-27 21:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-27 21:10 . 2007-12-27 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 21:10 . 2007-12-27 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-27 19:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-27 19:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-27 19:36 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-27 19:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-27 19:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-27 18:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 18:42 . 2007-12-27 18:43 <DIR> d-------- C:\Documents and Settings\Quiet Boy\.SunDownloadManager
2007-12-27 02:20 . 2007-12-29 19:29 69,632 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-12-27 00:30 . 2007-12-27 19:44 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-27 00:22 . 2007-12-27 00:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-12-26 22:38 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-26 22:38 . 2007-12-26 22:38 4 --a------ C:\WINDOWS\system32\jpewocmz.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 21:47 --------- d-----w C:\Program Files\iTunes
2008-01-21 03:39 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\AVG7
2008-01-12 09:21 471,552 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-10 08:32 322,048 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-02 00:09 82,538 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_01_15_56_39_small.dmp.zip
2008-01-02 00:09 69,687 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_01_15_55_52_small.dmp.zip
2008-01-01 02:01 --------- d-----w C:\Program Files\QuickTime
2007-12-30 04:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-28 03:35 4,630 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-28 03:18 --------- d-----w C:\Program Files\Java
2007-12-13 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 05:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 23:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-08 04:08 --------- d-----w C:\Program Files\Alwil Software
2007-12-08 02:38 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\Yahoo!
2007-12-08 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-02 03:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 03:41 --------- d-----w C:\Program Files\NHN USA
2007-11-30 06:58 --------- d--h--w C:\Documents and Settings\Quiet Boy\Application Data\ijjigame
2007-11-30 06:53 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\InstallShield
2007-11-30 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\IJJIGame
2007-11-30 03:42 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\Move Networks
.
<pre>
----a-w		   919,016 2007-12-30 03:25:12  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\Caps ----



((((((((((((((((((((((((((((( snapshot@2008-01-20_20.36.36.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 04:27:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 21:55:34 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-21 04:27:13 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 21:55:34 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-21 04:27:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 21:55:34 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-21 04:27:13 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 21:55:34 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-21 04:27:13 5,238,784 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-22 21:55:34 5,238,784 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-21 04:27:14 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 21:55:34 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-21 04:32:57 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-22 21:32:44 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-21 04:32:57 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-22 21:32:44 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-21 04:32:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-22 21:32:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 04:27:29 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-22 21:47:16 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-12-28 06:06:02 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
- 2008-01-19 00:17:03 7,588,909 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-01-22 21:44:15 7,630,022 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-12-29 00:35 407032]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2007-12-27 19:44 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe" [2007-12-27 22:06 196608]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2007-12-29 19:30 368706]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-29 19:30 344064]
"SNM"="C:\Documents and Settings\Quiet Boy\Desktop\SpyNoMore\SNM.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe" [ ]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2007-12-29 00:31 97357]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-29 19:30 271672]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 20:37 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-06-03 16:51:20 217088]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2007-12-27 18:57 1077277 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-12-27 19:22 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
C:\WINDOWS\troy44 .exe

R0 viamraid;viamraid;C:\WINDOWS\System32\DRIVERS\viamraid.sys [2004-03-28 21:45]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 11:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAler
"2007-12-24 22:12:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 13:57:23
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 13:58:13
ComboFix-quarantined-files.txt 2008-01-22 21:57:58
ComboFix2.txt 2008-01-22 21:50:55
ComboFix3.txt 2008-01-21 04:37:15
.
2008-01-11 03:21:34 --- E O F ---



=============================================================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:51 PM, on 1/22/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SNM] C:\Documents and Settings\Quiet Boy\Desktop\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163120314999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163643999063
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8665 bytes

Edited by daazndrgon, 22 January 2008 - 06:23 PM.


#8 daazndrgon

daazndrgon
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 22 January 2008 - 06:24 PM

My old yahoo anti spyware worked again after I used combofix and it found the bifrost backdoor and deleted it but I'm not sure if it's still there. Also my AVG just found Trojan horse VB.CAA in C:\Qoobox\Quarantine\C\WINDOWS\troy44 .exe.vir

Edited by daazndrgon, 22 January 2008 - 10:04 PM.


#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:11 AM

Posted 23 January 2008 - 09:21 AM

Hello daazndrgon,

Click on this link:
http://www.bleepingcomputer.com/submit-malware.php?channel=29
and fill in the required fields, then Browse for this filename: Submit [Date Time].zip <-- the file that was made by combofix.
Click on the Send File button.

Go to Microsoft's website => http://www.microsoft.com/downloads/details...B7-4FED408EA73F

Click on the Download button. Download the file & save it as it's originally named, next to ComboFix.exe

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

Regards,
SNOWHITE
Posted Image

#10 daazndrgon

daazndrgon
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 23 January 2008 - 04:05 PM

Hey, I submited the new file onto the site. I'm running combofix now.

Edited by daazndrgon, 23 January 2008 - 04:09 PM.


#11 daazndrgon

daazndrgon
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 23 January 2008 - 04:10 PM

Heres the log you asked for.

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#12 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:11 AM

Posted 23 January 2008 - 05:20 PM

Hello daazndrgon,

Step #1

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\troy44 .exe

RenV::
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Step #2

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Please post back with combofix report, new HijackThis report and Kaspersky scan report.

Regards,
SNOWHITE
Posted Image

#13 daazndrgon

daazndrgon
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 23 January 2008 - 08:57 PM

Here are the combofix and hijackthis reports:

ComboFix 08-01-20.1 - Quiet Boy 2008-01-23 17:47:52.8 - NTFSx86
Running from: C:\Documents and Settings\Quiet Boy\My Documents\Shared\ComboFix.exe
Command switches used :: C:\Documents and Settings\Quiet Boy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\troy44 .exe
.

((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 13:10 . 2001-08-17 13:49 237,728 --a------ C:\cmldr
2008-01-23 13:10 . 2007-12-28 18:00 196 --a------ C:\Boot.bak
2008-01-23 12:43 . 2008-01-23 12:43 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-20 20:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 23:38 . 2008-01-10 23:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Xfire
2008-01-10 21:33 . 2008-01-11 15:19 <DIR> d---s---- C:\Program Files\Xfire
2008-01-10 21:33 . 2008-01-12 01:20 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Xfire
2008-01-09 21:56 . 2008-01-09 21:56 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-01-05 20:39 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qcankwepqbhx.sys
2008-01-01 18:02 . 2008-01-01 18:02 32 --a------ C:\WINDOWS\go
2008-01-01 16:49 . 2008-01-01 16:51 <DIR> d-------- C:\WINDOWS\Caps
2008-01-01 16:48 . 2008-01-01 16:48 <DIR> d-------- C:\Program Files\RapidLeecher Ultimate 2007
2007-12-31 22:13 . 2007-12-31 22:13 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Grisoft
2007-12-31 22:12 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-31 19:36 . 2007-09-22 13:20 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-29 20:36 . 2007-12-29 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 13:33 . 2007-12-29 13:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 13:30 . 2008-01-23 12:40 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-29 13:30 . 2007-12-29 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-29 13:30 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-29 13:30 . 2008-01-23 12:42 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-29 13:29 . 2008-01-23 17:43 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-29 11:25 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-29 01:16 . 2008-01-05 21:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-29 01:16 . 2008-01-05 20:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-29 01:16 . 2008-01-05 20:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-29 01:16 . 2008-01-05 20:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-28 20:21 . 2007-12-28 20:21 <DIR> d-------- C:\Documents and Settings\Quiet Boy\Application Data\Media Player Classic
2007-12-28 20:20 . 2007-12-28 20:20 <DIR> d-------- C:\Program Files\Ringz Studio
2007-12-28 19:56 . 2007-12-28 19:56 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2007-12-28 19:56 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax
2007-12-28 19:44 . 2007-12-29 16:36 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-28 18:02 . 2007-12-28 18:02 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-27 21:11 . 2007-12-27 21:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-27 21:10 . 2007-12-27 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 21:10 . 2007-12-27 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-27 19:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-27 19:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-27 19:36 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-27 19:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-27 19:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-27 18:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 18:42 . 2007-12-27 18:43 <DIR> d-------- C:\Documents and Settings\Quiet Boy\.SunDownloadManager
2007-12-27 02:20 . 2007-12-29 19:29 69,632 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-12-27 00:30 . 2007-12-27 19:44 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-27 00:22 . 2007-12-27 00:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-12-26 22:38 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-26 22:38 . 2007-12-26 22:38 4 --a------ C:\WINDOWS\system32\jpewocmz.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 20:41 905,116 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-23 07:40 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\AVG7
2008-01-22 21:47 --------- d-----w C:\Program Files\iTunes
2008-01-12 09:21 471,552 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-10 08:32 322,048 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-02 00:09 82,538 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_01_15_56_39_small.dmp.zip
2008-01-02 00:09 69,687 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_01_15_55_52_small.dmp.zip
2008-01-01 02:01 --------- d-----w C:\Program Files\QuickTime
2007-12-30 04:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-28 03:35 4,630 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-28 03:18 --------- d-----w C:\Program Files\Java
2007-12-13 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 05:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 23:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-08 04:08 --------- d-----w C:\Program Files\Alwil Software
2007-12-08 02:38 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\Yahoo!
2007-12-08 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-02 03:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 03:41 --------- d-----w C:\Program Files\NHN USA
2007-11-30 06:58 --------- d--h--w C:\Documents and Settings\Quiet Boy\Application Data\ijjigame
2007-11-30 06:53 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\InstallShield
2007-11-30 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\IJJIGame
2007-11-30 03:42 --------- d-----w C:\Documents and Settings\Quiet Boy\Application Data\Move Networks
.
<pre>
----a-w		   919,016 2007-12-30 03:25:12  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-20_20.36.36.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 04:27:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 01:47:18 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-21 04:27:13 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 01:47:18 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-21 04:27:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 01:47:19 4,575,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-21 04:27:13 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 01:47:19 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-21 04:27:13 5,238,784 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 01:47:19 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-21 04:27:14 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 01:47:19 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2003-01-13 22:57:58 589,881 ----a-w C:\WINDOWS\LastGood\System32\dllcache\jscript.dll
+ 2003-01-13 21:57:58 589,881 ----a-w C:\WINDOWS\LastGood\System32\jscript.dll
- 2008-01-21 04:32:57 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-23 20:41:55 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-21 04:32:57 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-23 20:41:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-21 04:32:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-23 20:41:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 04:27:29 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-24 01:47:40 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-12-28 06:06:02 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
- 2008-01-19 00:17:03 7,588,909 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-01-22 21:44:15 7,630,022 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-12-29 00:35 407032]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2007-12-27 19:44 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe" [2007-12-27 22:06 196608]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2007-12-29 19:30 368706]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-29 19:30 344064]
"SNM"="C:\Documents and Settings\Quiet Boy\Desktop\SpyNoMore\SNM.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe" [ ]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2007-12-29 00:31 97357]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-29 19:30 271672]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 20:37 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-06-03 16:51:20 217088]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2007-12-27 18:57 1077277 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-12-27 19:22 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ]
C:\WINDOWS\troy44 .exe

R0 viamraid;viamraid;C:\WINDOWS\System32\DRIVERS\viamraid.sys [2004-03-28 21:45]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 11:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAler
"2007-12-24 22:12:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 17:51:09
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-23 17:51:58
ComboFix-quarantined-files.txt 2008-01-24 01:51:42
ComboFix2.txt 2008-01-23 20:57:34
ComboFix3.txt 2008-01-22 21:58:14
ComboFix4.txt 2008-01-22 21:50:55
ComboFix5.txt 2008-01-21 04:37:15
.
2008-01-23 20:43:33 --- E O F ---


==================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:57 PM, on 1/23/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SNM] C:\Documents and Settings\Quiet Boy\Desktop\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163120314999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163643999063
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8827 bytes

#14 daazndrgon

daazndrgon
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 AM

Posted 23 January 2008 - 10:05 PM

Hello Snowhite, I couldn't run the Kaspersky online scan I guess they don't have it anymore but they had the download for the kaspersky scanner so I downloaded it and scanned my computer. The report is too long to post on here, it keeps freezing everytime I try to paste it. What should I do?

#15 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:11 AM

Posted 24 January 2008 - 05:26 AM

Hello Snowhite, I couldn't run the Kaspersky online scan I guess they don't have it anymore but they had the download for the kaspersky scanner so I downloaded it and scanned my computer. The report is too long to post on here, it keeps freezing everytime I try to paste it. What should I do?

Please zip the report then go to the following link http://www.bleepingcomputer.com/submit-malware.php?channel=29 and upload the report there.

Just out of curiosity, what happens when you go here using Internet Explorer http://www.kaspersky.com/virusscanner ? do you see this button:

Posted Image

If you click on it, what happens? Does the online scan initialize?

Please follow these steps:

Open notepad and copy/paste the text in the codebox below into it:

RenV::
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Post back with combofix report and new HijackThis log.
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users