Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Hijackthis Log Entry


  • Please log in to reply
14 replies to this topic

#1 CaptainXX

CaptainXX

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 23 January 2008 - 11:54 AM

I downloaded a file this week that infected me with several viruses and malware. I keep thinking I have them wiped out until AVG starts popping up with infected files again or I reboot and MalwareCrush is back in the system tray. Below is my HiJackThis log which contains the following suspicious entry. I do not recgnize this DLL and cannot find anything about it online. Additionally, the 'Created Date' is about the time the infections began. Has anyone seen this file before? Do you see anything else in the log? Thanks!

O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvcem.dll,startup

---------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvcem.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200108488750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200156301609
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MissedMeds - Unknown owner - C:\Projects\eMedPass\MissedMeds\bin\missedmeds.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Xceed Chart for ASP.NET Renderer Service (Xceed.Chart.Renderer.Service) - Xceed Software Inc. - C:\Program Files\Xceed Components\Bin\.NET\Xceed.Chart.Renderer.Service.exe

--
End of file - 7290 bytes

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:14 PM

Posted 23 January 2008 - 02:37 PM

Hi,

Looks like Virtumonde..

Disable TeaTimer so it does not interfere with fixes.

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Download ResetTeaTimer.bat and save it.

http://downloads.subratam.org/ResetTeaTimer.bat

Once TT is disabled/shut down please run the bat file you just downloaded.
This will cause TT to "forget" what was allowed so it does not restore what we are trying to fix.

Next:

Please download
VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • If your security software asks about installing a service; please allow it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Question:

What is this?

O23 - Service: MissedMeds - Unknown owner - C:\Projects\eMedPass\MissedMeds\bin\missedmeds.exe

Something you created? If you know what it is -- fine. I just don't recognize it so is suspect IMO.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 CaptainXX

CaptainXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 23 January 2008 - 05:56 PM

Blender, thanks for the response! I followed your advice and VundoFix told me that it did not find any infected files. Is there another possibility?

And yes, missedmeds.exe is a service that I wrote, so I can be pretty confident that its safe. Sorry, I should have said that in my original post.

Thanks.

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:14 PM

Posted 24 January 2008 - 06:46 AM

Hi,

Let's look for vundo then.. likely a couple hanging around.

Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 CaptainXX

CaptainXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 24 January 2008 - 11:25 AM

Thanks, here are the items you requested:

-------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-01-24 11:09:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
20: 2008-01-24 16:09:29 UTC - RP44 - Deckard's System Scanner Restore Point
19: 2008-01-23 15:33:49 UTC - RP43 - ComboFix created restore point
18: 2008-01-23 03:51:44 UTC - RP42 - System Checkpoint
17: 2008-01-21 21:04:48 UTC - RP41 - Installed Ad-Aware 2007
16: 2008-01-21 20:28:12 UTC - RP40 - Removed Apple Mobile Device Support


-- First Restore Point --
1: 2008-01-15 02:53:39 UTC - RP25 - Installed Microsoft Office Access 2007


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:28 AM, on 01/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\Download\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvcem.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200108488750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200156301609
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MissedMeds - Unknown owner - C:\Projects\eMedPass\MissedMeds\bin\missedmeds.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Xceed Chart for ASP.NET Renderer Service (Xceed.Chart.Renderer.Service) - Xceed Software Inc. - C:\Program Files\Xceed Components\Bin\.NET\Xceed.Chart.Renderer.Service.exe

--
End of file - 6936 bytes

-- HijackThis Fixed Entries (C:\Download\backups\) -----------------------------

backup-20080123-105107-976 O20 - Winlogon Notify: nnnnnop - nnnnnop.dll (file missing)
backup-20080123-105856-656 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
backup-20080123-105856-866 O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 DCALEXICO - c:\windows\system32\drivers\dcalexico.sys (file missing)
S3 FLMCKUSB (AuthenTec TruePrint USB Driver (AES3400, AES3500, AES4000)) - c:\windows\system32\drivers\flmckusb.sys <Not Verified; AuthenTec, Inc.; Fingerprint USB Driver for AES 3K,4K>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S3 MissedMeds - "c:\projects\emedpass\missedmeds\bin\missedmeds.exe"
S3 Xceed.Chart.Renderer.Service (Xceed Chart for ASP.NET Renderer Service) - "c:\program files\xceed components\bin\.net\xceed.chart.renderer.service.exe" <Not Verified; Xceed Software Inc.; Xceed Chart for .NET>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Service: bcm4sbxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1F3EF4E1424FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1F3EF4E1424FC000
Service: NIC1394


-- Files created between 2007-12-24 and 2008-01-24 -----------------------------

2008-01-23 16:45:33 0 d-------- C:\VundoFix Backups
2008-01-22 11:27:19 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 10:57:19 2782 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-22 10:25:39 0 d-------- C:\WINDOWS\pss
2008-01-21 16:05:28 0 d-------- C:\Program Files\Lavasoft
2008-01-21 16:05:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 16:02:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 15:37:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 14:56:42 0 d-------- C:\WINDOWS\system32\appmgmt
2008-01-21 14:33:44 2 --a------ C:\1155764154_VIR
2008-01-21 14:33:24 103936 --a------ C:\WINDOWS\system32\drvcem.dll
2008-01-21 14:33:16 0 dr-h----- C:\$VAULT$.AVG
2008-01-21 14:31:23 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-01-21 14:31:23 47360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-01-21 14:31:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-01-21 14:31:20 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-01-21 14:31:20 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-01-21 14:31:20 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-01-18 07:34:28 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-01-18 07:34:23 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-01-16 18:11:36 0 d-------- C:\Program Files\iPod
2008-01-16 18:11:27 0 d-------- C:\Program Files\iTunes
2008-01-16 18:09:41 0 d-------- C:\Program Files\QuickTime
2008-01-16 15:49:44 0 d-------- C:\Program Files\AuthenTec
2008-01-16 15:32:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-01-16 15:32:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-16 14:21:20 59392 --a------ C:\WINDOWS\system\ssfm1032.DLL <Not Verified; Sheridan Software Systems, Inc; Sheridan Software Systems, Inc>
2008-01-16 14:21:20 25616 --a------ C:\WINDOWS\system\ssfm1016.DLL <Not Verified; Sheridan Software Systems, Inc; Sheridan Software Systems, Inc>
2008-01-16 14:21:17 398416 --a------ C:\WINDOWS\system\VBRUN300.DLL <Not Verified; Microsoft Corporation; Visual Basic 3.0>
2008-01-16 14:21:17 13824 --a------ C:\WINDOWS\system\VBOA300.DLL <Not Verified; Microsoft Corporation; Visual Basic 3.0>
2008-01-16 14:21:17 95232 --a------ C:\WINDOWS\system\VBDB300.DLL <Not Verified; Microsoft Corporation; Visual Basic 3.0>
2008-01-16 14:21:17 61824 --a------ C:\WINDOWS\system\SSPP16.DLL <Not Verified; Sheridan Software Systems, Inc.; Sheridan Reusable Components>
2008-01-16 14:21:17 12976 --a------ C:\WINDOWS\system\SCP.DLL <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-01-16 14:21:17 51712 --a------ C:\WINDOWS\system\OLE2PROX.DLL <Not Verified; Microsoft Corporation; Microsoft OLE 2.02 for Windows>
2008-01-16 14:21:17 536048 --a------ C:\WINDOWS\system\OC25.DLL <Not Verified; Microsoft Corporation; Microsoft® OLE Controls Development Kit>
2008-01-16 14:21:17 995136 --a------ C:\WINDOWS\system\MSAJT200.DLL <Not Verified; Microsoft Corporation; Microsoft® Access>
2008-01-16 14:21:17 17440 --a------ C:\WINDOWS\system\MSAJT112.DLL <Not Verified; Microsoft Corporation; Microsoft® Access>
2008-01-16 14:21:17 0 d-------- C:\Program Files\SSCALWDG
2008-01-16 12:47:04 0 d-------- C:\Program Files\VideoSoft
2008-01-15 16:56:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\3D Button Visual Editor
2008-01-15 13:42:56 0 d-------- C:\Program Files\MapInfo MapX
2008-01-15 13:42:46 0 d-------- C:\WINDOWS\Crystal
2008-01-15 13:42:43 0 d-------- C:\Program Files\Seagate Software
2008-01-15 11:07:49 32768 --a------ C:\WINDOWS\system32\DBTools.dll <Not Verified; KnowledgeSpan Consulting; DBTools>
2008-01-15 09:42:54 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-15 09:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-01-14 15:21:52 0 d-------- C:\Program Files\Microsoft Works
2008-01-14 12:29:00 0 d-------- C:\Program Files\Hewlett-Packard
2008-01-14 12:28:09 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-14 12:27:37 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-01-14 12:27:37 196608 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-01-14 12:27:37 266296 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-01-14 12:27:36 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-01-14 12:27:36 65536 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-01-14 12:27:36 61699 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-01-14 12:27:30 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-01-14 12:26:38 5762 -----n--- C:\WINDOWS\hpwmdl02.dat
2008-01-14 12:26:38 16920 --a------ C:\WINDOWS\hpwins02.dat
2008-01-14 12:17:23 311296 -ra------ C:\WINDOWS\system32\hptcpmui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT® Operating System>
2008-01-14 12:17:21 98304 -ra------ C:\WINDOWS\system32\hpzjsn01.dll <Not Verified; Hewlett Packard Company; HPJZSN01 Dynamic Link Library>
2008-01-14 12:17:21 135168 -ra------ C:\WINDOWS\system32\hptcpmib.dll <Not Verified; Hewlett Packard; HP Standard Port Monitor>
2008-01-14 12:17:20 245760 -ra------ C:\WINDOWS\system32\hptcpmon.dll <Not Verified; Hewlett Packard; HP® Standard Port Monitor>
2008-01-14 12:17:03 102400 -ra------ C:\WINDOWS\scrub2k.exe
2008-01-14 11:56:15 0 d-------- C:\Program Files\Microsoft Device Emulator
2008-01-14 11:55:54 0 d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-01-14 11:51:06 0 d-------- C:\Program Files\HP
2008-01-14 11:25:30 0 d-------- C:\WINDOWS\Symbols
2008-01-14 11:25:30 0 d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-01-14 11:25:29 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-14 11:25:29 0 d-------- C:\Program Files\HTML Help Workshop
2008-01-14 11:25:29 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-01-14 11:25:29 0 d-------- C:\Program Files\Common Files\Business Objects
2008-01-14 11:25:29 0 d-------- C:\Program Files\CE Remote Tools
2008-01-14 10:10:08 0 d-------- C:\Program Files\ComponentOne Studio
2008-01-14 09:51:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-01-14 09:48:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-14 09:43:09 0 d-------- C:\Program Files\Yahoo!
2008-01-13 23:01:36 122368 --a------ C:\WINDOWS\system32\MmsTemp.dll <Not Verified; MultiMedia Soft; MmsTemp ActiveX Control Module>
2008-01-13 23:01:32 0 d-------- C:\3dabm
2008-01-13 22:46:54 0 d-------- C:\Program Files\Web Publish
2008-01-13 01:56:50 0 d-------- C:\Program Files\Microsoft SQL Server
2008-01-13 01:56:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-13 01:54:47 0 d-------- C:\Program Files\DVD Decrypter
2008-01-13 01:53:51 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-13 01:53:50 0 d-------- C:\Program Files\DVD Shrink
2008-01-13 01:52:55 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-13 01:52:33 0 d-------- C:\Program Files\vso
2008-01-13 01:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Xceed Software
2008-01-13 01:51:23 0 d-------- C:\Program Files\Xceed Components
2008-01-13 01:50:45 0 d-------- C:\Program Files\DIFX
2008-01-13 01:50:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-01-13 01:50:26 0 d-------- C:\Program Files\Common Files\PCSuite
2008-01-13 01:50:26 0 d-------- C:\Program Files\Common Files\Nokia
2008-01-13 01:50:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-01-13 01:49:55 0 d-------- C:\Program Files\PC Connectivity Solution
2008-01-13 01:49:42 0 d-------- C:\Program Files\Nokia
2008-01-13 01:48:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-01-13 01:47:57 0 d-------- C:\Program Files\RealVNC
2008-01-13 01:46:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-13 01:41:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-13 01:40:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-13 01:38:25 33180 --a------ C:\WINDOWS\system32\drivers\flusbdrv.sys <Not Verified; AuthenTec, Inc.; AuthenTec FingerLoc USB Driver>
2008-01-13 01:38:24 5348 --a------ C:\WINDOWS\system32\FLMckUSB.dll <Not Verified; AuthenTec, Inc.; CoInstaller for AES 3K,4K>
2008-01-13 01:38:24 67159 --a------ C:\WINDOWS\system32\drivers\FLMckUSB.sys <Not Verified; AuthenTec, Inc.; Fingerprint USB Driver for AES 3K,4K>
2008-01-13 01:38:24 1142776 --a------ C:\WINDOWS\system32\ATSC51.dll <Not Verified; AuthenTec, Inc.; AuthenTec Sensor Control Library>
2008-01-13 01:38:24 3977 --a------ C:\WINDOWS\system32\atinsmsg.dll <Not Verified; AuthenTec, Inc.; CoInstaller for AES 3K,4K>
2008-01-13 01:38:24 0 d-------- C:\WINDOWS\SigPlus
2008-01-13 01:37:54 0 d-------- C:\Program Files\BitLord
2008-01-13 01:27:55 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-01-13 01:27:51 0 d-------- C:\Program Files\Apoint
2008-01-13 01:27:32 4 --ah----- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
2008-01-13 01:27:30 61440 --a------ C:\WINDOWS\system32\KPower.dll <Not Verified; Intel Corporation; KPOWER>
2008-01-13 01:27:28 0 d-------- C:\Program Files\Dell
2008-01-13 01:27:14 16128 --a------ C:\WINDOWS\system32\drivers\APPDRV.SYS <Not Verified; Dell Inc; Application Driver>
2008-01-13 01:20:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-13 01:19:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 01:19:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 01:19:25 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-12 11:34:54 0 d-------- C:\Projects
2008-01-12 11:34:49 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-12 11:34:07 0 d-------- C:\WINDOWS\SHELLNEW
2008-01-12 11:33:25 0 d-------- C:\Download
2008-01-12 11:32:39 0 d-------- C:\Program Files\Microsoft.NET
2008-01-12 11:30:55 0 dr-h----- C:\MSOCache
2008-01-12 11:28:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-12 11:26:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-01-12 08:24:20 0 d-------- C:\Program Files\MSBuild
2008-01-12 08:21:29 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-01-12 08:20:53 0 d-------- C:\Program Files\Reference Assemblies
2008-01-12 08:19:28 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-12 08:18:31 0 d-------- C:\WINDOWS\system32\LogFiles
2008-01-12 08:18:31 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-12 08:14:48 0 d-------- C:\WINDOWS\RegisteredPackages
2008-01-12 08:13:12 0 d-------- C:\WINDOWS\system32\URTTemp
2008-01-12 02:40:10 0 d-------- C:\WINDOWS\network diagnostic
2008-01-12 01:55:53 0 d-------- C:\Program Files\MSXML 6.0
2008-01-11 22:38:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-11 22:36:21 0 d-------- C:\WINDOWS\system32\PreInstall
2008-01-11 22:29:25 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-01-11 22:26:33 0 d--hs---- C:\Documents and Settings\Administrator\UserData
2008-01-11 17:26:24 0 d-------- C:\Program Files\CONEXANT
2008-01-11 17:22:45 0 d-------- C:\Program Files\SigmaTel
2008-01-11 17:22:18 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-01-11 17:22:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-01-11 17:22:18 0 d-------- C:\Documents and Settings\Default User\Application Data\Intel
2008-01-11 17:22:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-01-11 17:22:12 21425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
2008-01-11 17:21:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-01-11 17:21:12 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-01-11 17:21:09 0 d-------- C:\Program Files\Intel
2008-01-10 21:52:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-10 21:52:14 0 d-------- C:\Program Files\Broadcom
2008-01-10 21:52:04 0 d-------- C:\WINDOWS\Downloaded Installations
2008-01-10 21:52:04 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-10 20:37:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-01-10 20:37:45 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-01-10 20:37:45 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-10 20:37:45 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-10 20:37:45 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-01-10 20:37:45 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-10 20:37:45 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-01-10 20:37:45 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-10 20:37:45 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-01-10 20:37:45 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-10 20:37:44 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-10 20:37:44 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-10 20:37:44 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-10 20:37:44 4456448 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-10 20:37:40 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-01-10 20:37:38 0 d-------- C:\WINDOWS\Prefetch
2008-01-10 20:37:37 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-01-10 20:37:33 1572864 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-01-10 20:37:33 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-01-10 20:37:33 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-01-10 20:37:33 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-01-10 20:37:33 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-01-10 20:22:38 1572864 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-01-10 20:22:38 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-01-10 20:22:38 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-01-10 20:22:38 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-01-10 20:22:38 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-01-10 20:19:16 0 d-------- C:\WINDOWS\system32\xircom
2008-01-10 20:19:16 0 d-------- C:\Program Files\microsoft frontpage
2008-01-10 20:19:01 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-01-10 20:19:01 0 d-------- C:\DELL
2008-01-10 20:18:50 0 d--h----- C:\WINDOWS\$hf_mig$
2008-01-10 20:18:31 0 -rahs---- C:\MSDOS.SYS
2008-01-10 20:18:31 0 -rahs---- C:\IO.SYS
2008-01-10 20:18:31 0 --a------ C:\CONFIG.SYS
2008-01-10 20:18:31 0 --a------ C:\AUTOEXEC.BAT
2008-01-10 20:17:25 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-01-10 20:17:16 0 dr------- C:\WINDOWS\Offline Web Pages
2008-01-10 20:17:15 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-01-10 20:17:04 0 d--h----- C:\Program Files\WindowsUpdate
2008-01-10 20:16:43 0 d-------- C:\WINDOWS\system32\DirectX
2008-01-10 20:16:08 0 d---s---- C:\WINDOWS\Tasks
2008-01-10 20:16:07 0 d-------- C:\Program Files\Common Files\MSSoap
2008-01-10 20:16:03 0 d-------- C:\WINDOWS\srchasst
2008-01-10 20:16:02 0 d-------- C:\WINDOWS\system32\Macromed
2008-01-10 20:15:53 0 d-------- C:\Program Files\Movie Maker
2008-01-10 20:15:44 0 d-------- C:\WINDOWS\system32\Restore
2008-01-10 20:15:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-10 20:14:44 0 d-------- C:\WINDOWS\Registration
2008-01-10 20:14:36 0 d-------- C:\Program Files\Online Services
2008-01-10 20:14:30 0 d-------- C:\Program Files\Messenger
2008-01-10 20:14:26 0 d-------- C:\Program Files\MSN Gaming Zone
2008-01-10 20:13:44 0 d-------- C:\Program Files\Windows NT
2008-01-10 20:13:41 0 d-------- C:\WINDOWS\system32\MsDtc
2008-01-10 20:13:39 0 d-------- C:\WINDOWS\system32\Com
2008-01-10 15:06:37 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-01-10 15:06:37 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-01-10 15:06:37 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-01-10 15:06:37 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-01-10 15:06:37 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-01-10 15:06:37 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-01-10 15:06:37 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-01-10 15:06:37 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-01-10 15:06:37 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-01-10 15:06:37 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-01-10 15:06:37 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-01-10 15:06:37 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-01-10 15:06:37 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-01-10 15:06:37 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-01-10 15:06:37 0 dr------- C:\Documents and Settings\All Users\Documents
2008-01-10 15:06:37 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-01-10 15:06:06 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-01-10 15:06:06 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-01-10 15:06:06 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-01-10 15:06:06 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-01-10 13:13:43 0 d--hs---- C:\WINDOWS\Installer
2008-01-10 13:13:42 0 d-------- C:\Program Files\Common Files\ODBC
2008-01-10 13:13:39 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-01-10 13:13:38 0 dr------- C:\Program Files
2008-01-10 13:13:38 0 d-------- C:\Program Files\Common Files
2008-01-10 13:12:58 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-01-10 13:12:58 0 d-------- C:\WINDOWS\system32\CatRoot
2008-01-10 13:12:26 0 d-------- C:\Documents and Settings
2008-01-10 13:12:25 0 d--hs---- C:\System Volume Information
2008-01-10 13:02:02 0 d-------- C:\WINDOWS
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\WinSxS
2008-01-10 13:02:02 0 dr------- C:\WINDOWS\Web
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\twain_32
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\wins
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\wbem
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\usmt
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\spool
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\ShellExt
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\Setup
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\ras
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\oobe
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\npp
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\mui
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\inetsrv
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\IME
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\icsxml
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\ias
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\export
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\drivers
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-01-10 13:02:02 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\dhcp
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\config
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\3076
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\2052
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\1054
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\1042
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\1041
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\1037
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\1033
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\1031
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\1028
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system32\1025
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\system
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\security
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Resources
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\repair
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Provisioning
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\PeerNet
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\pchealth
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\mui
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\msapps
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\msagent
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Media
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\java
2008-01-10 13:02:02 0 d--h----- C:\WINDOWS\inf
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\ime
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Help
2008-01-10 13:02:02 0 dr--s---- C:\WINDOWS\Fonts
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\ehome
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Driver Cache
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\dell
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Debug
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Cursors
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Connection Wizard
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\Config
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\AppPatch
2008-01-10 13:02:02 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-01-21 14:31:28 34 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-01-21 14:31:23 1144 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
2008-01-21 14:31:23 7887 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-01-10 15:06:37 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [02/21/2007 11:19 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [02/21/2007 11:17 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [06/06/2006 05:09 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [06/06/2006 05:06 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [06/06/2006 05:10 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/13/2008 01:19 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [06/29/2006 12:13 PM]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 02:13 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"MSDrive"="C:\WINDOWS\system32\drvcem.dll" [01/21/2008 02:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [12/10/2007 10:12 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]
AutoRun\command- Y:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- Z:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b4c4faf-c2e3-11dc-967f-0012f0aa45fc}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b4c4fb0-c2e3-11dc-967f-0012f0aa45fc}]
explore\Command- boot.exe
open\Command- boot.exe




-- End of Deckard's System Scanner: finished at 2008-01-24 11:19:18 ------------

Attached Files



#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:14 PM

Posted 24 January 2008 - 06:04 PM

Hi,

Copy the following text to a new notepad file.
Save as fix.reg as fyle type: "all files".
Save to desktop but don't run yet.

REGEDIT4

[HKEY_LOCAL_MACHHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b4c4fb0-c2e3-11dc-967f-0012f0aa45fc}]

------------------------


Please disable your TeaTimer to prevent interference with fix.

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Next, download, save and run this file:

http://downloads.subratam.org/ResetTeaTimer.bat

That will clear out TeaTimer's previous configurations.

Next:

Start Hijackthis
Click "config"
Click "misc tools"
Click "delete a file at reboot.
In next window paste in:

C:\WINDOWS\system32\drvcem.dll then click "open"
When asked to reboot say OK.

Allow machine to reboot.
Once restarted, locate "fix.reg" and double click it.
Allow the merge.
Should get success message.

Reboot once more -- post new Hijackthis log please.

Let me know how machine is running.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 CaptainXX

CaptainXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 25 January 2008 - 12:03 PM

Hello and thanks!

This appears to have taken care of the MalWareCrush icon in my system tray, but AVG is still periodically popping up with threat alerts. I always get 2 simultaneously. One is a seemingly randomly-named executable in C:\Windows\Temp and the other is an HTML file. AVG names the threat "Trojan Horse Agent.NJG." Examples:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8VULU7I9\sdfsdf[1].htm
C:\WINDOWS\Temp\28FC4282.exe

Here is the new log:

-------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:18 AM, on 01/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio\VB98\VB6.EXE
C:\WINDOWS\system32\notepad.exe
C:\Download\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200108488750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200156301609
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MissedMeds - Unknown owner - C:\Projects\eMedPass\MissedMeds\bin\missedmeds.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Xceed Chart for ASP.NET Renderer Service (Xceed.Chart.Renderer.Service) - Xceed Software Inc. - C:\Program Files\Xceed Components\Bin\.NET\Xceed.Chart.Renderer.Service.exe

--
End of file - 7648 bytes

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:14 PM

Posted 25 January 2008 - 03:25 PM

Hmmm

There should be 2 .dat files in this folder (mabye more) (qmgr*.dat)

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader

Application Data is hidden. So need to show hidden files if you didn't already.

How to view Hidden files/folders.
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
don't forget to hide files/folders when we are finished cleaning.

Can you upload those dat files here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

Please include URL to this thread so I know who those files belong to.

Possible BITS service is being used to download malware.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 CaptainXX

CaptainXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 25 January 2008 - 04:04 PM

Its done, Thanks!

And that may make sense; something else I have noticed is that when Windows first boots (every time) I get the Windows Update "Downloading updates" icon in the system tray for a few seconds. I had never seen this until recently.

Edited by CaptainXX, 25 January 2008 - 04:08 PM.


#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:14 PM

Posted 26 January 2008 - 07:20 PM

Hi,

Those dat files are OK.
I kinda thought there would be some malicious URLs in them causing BITS to re-download malware.

I see you did use ComboFix recently though...
I'd like to see what it took out.

Can you post the log from it please?

C:\combofix.txt

If too big to post here -- zip & attach please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 CaptainXX

CaptainXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 30 January 2008 - 01:43 PM

Actually, I deleted all ComboFix files shorty after running it. Would it do any good to run it again and post the logs?

I am still struggling with this and am close to just reformatting my hard drive.

Yesterday the symptoms changed a little. It is now downloading .TMP files that SpyBot identifies as WIN32.Tiny.abk to C:/Windows/Temp on every boot. Since this started, my web browsing has been very slow and I have been unable to connect to other machines on my home network.

When I ran HiJackThis soon after booting, I noticed that C:\WINDOWS\system32\wuauclt.exe was listed as running process. When I opened the folder to look at the file properties, I saw that there is also an application named wuauclt1.exe that has the fancy windows update icon while wuauclt.exe has a generic .EXE icon. On other XP Pro machines, both programs have the fancy icon. This caused me to think that the file had been replaced by something, so i copied over all files matching the pattern C:\WINDOWS\system32\wu*.* from another machine. I then did a reboot and saw that wuauclt.exe was again replaced. I ran Windows Update, and it did an install of its own ActiveX controls which was a little weird since this was already installed, but that may have been because I was mucking with them. The only files it appears to have recopied (judging by the Date Created timestamp) are:

wuaucpl.cpl.mui
wuaueng.dll.mui
wucltui.dll.mui
wups2.dll

Also, when i go to Start>All Programs, at the top of the list of programs, Windows Update (pointing to %SystemRoot%\system32\wupdmgr.exe) appears with the fancy icon, but Microsoft Update (pointing to C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muweb.dll,LaunchMUSite) appears with the generic icon.

Any ideas?

Here is the latest HiJack This log:

---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:24 AM, on 01/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Download\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200108488750
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200156301609
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MissedMeds - Unknown owner - C:\Projects\eMedPass\MissedMeds\bin\missedmeds.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Xceed Chart for ASP.NET Renderer Service (Xceed.Chart.Renderer.Service) - Xceed Software Inc. - C:\Program Files\Xceed Components\Bin\.NET\Xceed.Chart.Renderer.Service.exe

--
End of file - 8020 bytes

Edited by CaptainXX, 30 January 2008 - 01:45 PM.


#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:14 PM

Posted 31 January 2008 - 05:52 AM

Hi,

sorry for delay. Bad storms kept me away & busy.

Those Windows update files sound right -- what are the file sizes please?

Won't hurt to run combofix but please do grab the newest version.
Details of download locations and use of program here:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure to perform the Recovery Console install please as an added safeguard.

Thanks

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 CaptainXX

CaptainXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 31 January 2008 - 12:16 PM

Hi. No problem, thanks for the reply!

Here are the file sizes:

muweb.dll 203k
mucltui.dll.mui 30k
mucltui.dll 265k
wuapi.dll 537k
wuapi.dll.mui 26k
wuauclt1.exe 162k
wuauclt.exe 52k
wuaucpl.cpl 212k
wuaucpl.cpl.mui 26k
wuaueng1.dll 179k
wuaueng.dll 1637k
wuaueng.dll.mui 20k
wuauserv.dll 7k
wucltui.dll 319k
wucltui.dll.mui 34k
wupdmgr.exe 32k
wups2.dll 43k
wups.dll 33k
wuweb.dll 199k

I got a little eager and ran ComboFix before I remember to install the recovery console. Sorry. Here is the log:
---------------------------------------------------------------------------------------------------------------------------------

ComboFix 08-01-31.5 - Administrator 2008-01-31 11:36:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 09:45 . 2008-01-31 09:45 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-31 09:45 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-31 09:45 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-30 13:14 . 2008-01-30 13:14 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-01-30 12:40 . 2008-01-30 12:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-01-30 12:36 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-30 12:36 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-30 12:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-30 12:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-30 12:36 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-30 12:16 . 2008-01-30 12:17 <DIR> d-------- C:\WINDOWS\system32\wu
2008-01-30 11:16 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-30 11:16 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-29 13:23 . 2008-01-29 13:23 <DIR> d-------- C:\Program Files\Network Traffic Monitor
2008-01-29 12:57 . 2008-01-29 13:00 <DIR> d-------- C:\Program Files\AWall
2008-01-24 16:45 . 2008-01-24 16:45 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-24 15:53 . 2008-01-31 11:41 3,059,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 15:53 . 2008-01-30 17:45 35,924 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 15:45 . 2008-01-24 15:45 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-24 15:41 . 2008-01-24 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-24 15:40 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-24 15:40 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-24 15:40 . 2008-01-24 15:45 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-24 15:38 . 2008-01-31 11:33 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-22 11:27 . 2008-01-22 14:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 11:27 . 2008-01-22 11:27 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 11:27 . 2008-01-22 11:27 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 11:27 . 2008-01-22 11:27 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 10:57 . 2008-01-22 10:57 2,782 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-21 17:22 . 2008-01-21 17:22 133 --a------ C:\WINDOWS\wininit.ini
2008-01-21 16:05 . 2008-01-21 16:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-21 16:05 . 2008-01-21 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 16:02 . 2008-01-21 16:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 15:37 . 2008-01-21 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 14:33 . 2008-01-21 14:33 54,764 --a------ C:\WINDOWS\system32\drivers\astq.tga
2008-01-21 14:31 . 2008-01-21 14:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-01-21 14:31 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll_VIR
2008-01-21 14:31 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll_VIR
2008-01-21 14:31 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll_VIR
2008-01-21 14:31 . 2008-01-21 14:31 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-21 14:31 . 2008-01-21 14:31 47,360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-01-18 07:34 . 2008-01-18 07:34 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2008-01-18 07:34 . 2008-01-18 07:33 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-01-16 18:12 . 2008-01-31 09:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 18:12 . 2008-01-16 18:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 18:11 . 2008-01-22 12:55 <DIR> d-------- C:\Program Files\iTunes
2008-01-16 18:11 . 2008-01-16 18:11 <DIR> d-------- C:\Program Files\iPod
2008-01-16 18:09 . 2008-01-16 18:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-16 15:49 . 2008-01-16 15:49 <DIR> d-------- C:\Program Files\AuthenTec
2008-01-16 15:32 . 2008-01-16 15:32 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-16 14:21 . 2008-01-22 13:15 <DIR> d-------- C:\Program Files\SSCALWDG
2008-01-16 12:47 . 2008-01-16 12:47 <DIR> d-------- C:\Program Files\VideoSoft
2008-01-15 16:56 . 2008-01-15 16:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\3D Button Visual Editor
2008-01-15 13:42 . 2008-01-15 13:43 <DIR> d-------- C:\WINDOWS\Crystal
2008-01-15 13:42 . 2008-01-15 13:42 <DIR> d-------- C:\Program Files\Seagate Software
2008-01-15 13:42 . 2008-01-15 13:42 <DIR> d-------- C:\Program Files\MapInfo MapX
2008-01-15 13:13 . 2008-01-15 13:13 35,840 --a------ C:\WINDOWS\system32\MSADODC.oca
2008-01-15 13:12 . 2001-06-08 14:06 698,072 --a------ C:\WINDOWS\system32\CRViewer.dll
2008-01-15 13:12 . 2008-01-15 13:12 240,128 --a------ C:\WINDOWS\system32\COMCTL32.oca
2008-01-15 13:12 . 2008-01-15 13:12 52,224 --a------ C:\WINDOWS\system32\COMCT232.oca
2008-01-15 11:07 . 2006-10-17 08:52 32,768 --a------ C:\WINDOWS\system32\DBTools.dll
2008-01-15 09:42 . 2008-01-15 09:42 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-15 09:42 . 2008-01-21 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-01-14 15:21 . 2008-01-14 15:21 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-14 12:29 . 2008-01-14 12:29 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-14 12:28 . 2008-01-14 12:28 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-14 12:27 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-01-14 12:27 . 2003-11-11 11:16 266,296 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-01-14 12:27 . 2003-10-22 10:26 196,608 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-01-14 12:27 . 2003-07-21 14:24 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-01-14 12:27 . 2003-10-22 10:19 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-01-14 12:27 . 2003-07-25 12:20 61,699 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-01-14 12:27 . 2003-07-21 14:24 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-01-14 12:26 . 2008-01-14 12:28 16,920 --a------ C:\WINDOWS\hpwins02.dat
2008-01-14 12:26 . 2004-01-08 07:26 5,762 --------- C:\WINDOWS\hpwmdl02.dat
2008-01-14 11:56 . 2008-01-14 11:56 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-01-14 11:55 . 2008-01-14 11:55 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-01-14 11:51 . 2008-01-14 12:27 <DIR> d-------- C:\Program Files\HP
2008-01-14 11:49 . 2008-01-14 11:49 103 --a------ C:\WINDOWS\system32\hptrace.ini
2008-01-14 11:48 . 2008-01-14 12:26 1,579,219 --a------ C:\WINDOWS\hpoj9100.his
2008-01-14 11:48 . 2008-01-14 12:26 20,871 --a------ C:\WINDOWS\hpoj9100.ini
2008-01-14 11:47 . 2008-01-14 12:29 21,465 --a------ C:\WINDOWS\mariner.his
2008-01-14 11:47 . 2008-01-14 12:29 6,202 --a------ C:\WINDOWS\mariner.ini
2008-01-14 11:25 . 2008-01-14 11:25 <DIR> d-------- C:\WINDOWS\Symbols
2008-01-14 11:25 . 2008-01-14 11:37 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-14 11:25 . 2008-01-14 11:36 <DIR> d-------- C:\Program Files\HTML Help Workshop
2008-01-14 11:25 . 2008-01-14 11:32 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-01-14 11:25 . 2008-01-14 11:27 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2008-01-14 11:25 . 2008-01-14 11:25 <DIR> d-------- C:\Program Files\CE Remote Tools
2008-01-14 11:25 . 2008-01-14 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-01-14 10:30 . 2008-01-15 10:47 48,640 --a------ C:\WINDOWS\system32\MSMASK32.oca
2008-01-14 10:27 . 2001-04-03 16:32 497,352 --a------ C:\WINDOWS\system32\SSCALA32.OCX
2008-01-14 10:27 . 2008-01-14 10:27 17,408 --a------ C:\WINDOWS\system32\SYSINFO.oca
2008-01-14 10:21 . 2008-01-14 10:21 101,888 --a------ C:\WINDOWS\system32\THREED32.oca
2008-01-14 10:20 . 1997-05-20 14:50 200,704 --a------ C:\WINDOWS\system32\THREED32.OCX
2008-01-14 10:10 . 2008-01-14 10:11 <DIR> d-------- C:\Program Files\ComponentOne Studio
2008-01-14 09:51 . 2008-01-21 15:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-01-14 09:48 . 2008-01-21 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-14 09:43 . 2008-01-14 12:37 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-13 23:01 . 2006-02-02 19:15 122,368 --a------ C:\WINDOWS\system32\MmsTemp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 19:33 1,222,144 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-29 14:53 57,236 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_29_09_32_38_small.dmp.zip
2008-01-11 22:22 21,425 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-11 01:37 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-11 01:19 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-11 14:55 88,576 ----a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-11 14:55 579,584 ----a-w C:\WINDOWS\system32\icardagt.exe
2007-10-11 14:55 11,776 ----a-w C:\WINDOWS\system32\icardres.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-09 18:03 779,800 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 18:03 73,752 ----a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 18:03 493,080 ----a-w C:\WINDOWS\system32\evr.dll
2007-10-09 18:03 350,744 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 18:03 33,304 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 18:03 161,304 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 18:03 106,520 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 18:03 1,986,072 ----a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 17:58 16,896 ----a-w C:\WINDOWS\system32\tswpfwrp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-24 15:45 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-24 15:45 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-06 17:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-06 17:10 118784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 01:19 579072]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 12:13 1032192]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"Network Traffic Monitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 01:19 219136]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R1 vcdrom;Virtual CD-ROM Device Driver;C:\Download\MS XP Virtual CD-ROM\VCdRom.sys [2001-12-19 10:43]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 DCALEXICO;DCALEXICO;C:\WINDOWS\system32\drivers\DCalexico.sys []
S3 FLMCKUSB;AuthenTec TruePrint USB Driver (AES3400, AES3500, AES4000);C:\WINDOWS\system32\Drivers\FLMckUSB.sys [2004-03-17 11:59]
S3 MissedMeds;MissedMeds;"C:\Projects\eMedPass\MissedMeds\bin\missedmeds.exe" [2008-01-28 16:53]
S3 Xceed.Chart.Renderer.Service;Xceed Chart for ASP.NET Renderer Service;"C:\Program Files\Xceed Components\Bin\.NET\Xceed.Chart.Renderer.Service.exe" [2006-07-03 15:32]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 07:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b4c4faf-c2e3-11dc-967f-0012f0aa45fc}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 11:41:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 11:43:24
.
2008-01-15 15:05:24 --- E O F ---

#14 CaptainXX

CaptainXX
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 31 January 2008 - 04:12 PM

I don't know if this is helpful or not, but by using an IP traffic monitor, I determined that the Win32.Tiny.abk files that are appearring in c:\Windows\Temp are being downloaded at boot up by services.exe. AVG, Spybot, and Adaware all say nothing is wrong with services.exe.

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:14 PM

Posted 31 January 2008 - 10:15 PM

Hi,

Looks like Combofix found at least part of the problem:

2008-01-21 14:33 . 2008-01-21 14:33 54,764 --a------ C:\WINDOWS\system32\drivers\astq.tga

Varient of rustock backdoor/rootkit.

http://www.bleepingcomputer.com/startups/astq.tga-21611.html

You getting alot of unexplainable SMTP traffic too? (outgoing email)

Combofix sees the file but not the service in registry --

This app should:

Download SDFix and save it to your Desktop.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Let me know how system is running and if you can complete a virus scan.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users