Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Trojan.ldpinch.l Infection


  • Please log in to reply
49 replies to this topic

#1 firebaad

firebaad

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 31 January 2008 - 01:23 AM

Wow what a nightmare. I started noticing problems when my XP system rebooted while using the cache cleaner tool in Zone Alarm 7.0. Next came the inability to boot into safemode. Combofix showed me the errors in the safeboot reg keys and I eventually restored them using a registry export file found here
http://blog.didierstevens.com/2007/02/19/r...ith-a-reg-file/
This fix allowed me to boot into safemode.
I used several tools to try to kill the sob and I think I may have been successful. Ad-aware, Spybot SD, AVG, NOD32 all did not find it in normal or safe mode. Combofix and Spyware DR did find it and I allowed Spyware Dr to clean it. I shutdown system restore prior to cleaning. However, I still find the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSSYNC2020 and get an error when I try to delete it in both normal and safe mode.
The following are my HJT log along with the combofix and Spyware Dr logs. Unfortunately, I do not have a before cleaning HJT log. Spyware Dr also reported the Trojan.NirCmd associated with combofix to be a threat. I believe this to be false positive but I allowed Spyware Dr to clean the "infection" anyway. Along the way other nasties that I was unaware of were cleaned as noted in the logs.
I am used to tackling my own pc problems but I am not an expert and I hope I did not further complicate my problem.
Please advise as to how to proceed with the mssync2020 registry key.
And , am I still infected?

Thanks

FB706

ComboFix 08-01-23.1C - Chris 2008-01-27 3:04:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.697 [GMT -6:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
I:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://msgr.dlservice.microsoft.com
hxxp://javadl.sun.com
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 03:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 17:03 . 2001-08-17 22:36 112,640 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-26 17:03 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-26 17:01 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-26 17:00 . 2002-08-29 03:41 3,494,303 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-26 16:59 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-26 16:58 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-26 16:57 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-01-26 16:56 . 2002-05-14 12:08 872,557 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-25 01:01 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-24 18:39 . 2003-03-31 06:00 84,480 --a------ C:\WINDOWS\system32\compob.dll
2008-01-24 13:12 . 2008-01-24 13:12 <DIR> d-------- C:\Program Files\Uniblue
2008-01-24 12:53 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2008-01-24 12:53 . 2003-08-25 18:06 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-01-24 00:37 . 2008-01-24 00:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-23 16:53 . 2006-02-28 06:00 9,216 --a------ C:\WINDOWS\system32\winfax.dll
2008-01-23 16:53 . 2006-02-28 06:00 9,216 --a--c--- C:\WINDOWS\system32\dllcache\winfax.dll
2008-01-23 07:37 . 2008-01-23 07:37 <DIR> d-------- C:\VundoFix Backups
2008-01-22 19:46 . 2008-01-22 19:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 00:18 . 2007-04-19 14:43 557,295 --a------ C:\WINDOWS\_detmp.11
2008-01-21 00:18 . 2000-02-14 16:36 128,000 --a------ C:\WINDOWS\_detmp.12
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 04:05 2,022,400 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-01-23 13:27 --------- d-----w C:\Program Files\Java
2008-01-23 06:50 1,987,072 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-01-23 06:43 1,985,536 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-01-21 06:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-21 06:13 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-17 06:00 27,136 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-01-17 06:00 1,927,680 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-01-17 05:53 392,704 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-01-17 05:53 1,926,144 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-01-17 02:51 1,915,392 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-01-14 09:45 1,903,104 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2007-12-31 18:05 1,885,696 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2007-12-31 18:04 1,153,024 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2007-12-24 09:45 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2007-12-24 09:42 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2007-12-24 09:40 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2007-12-24 09:37 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2007-12-24 09:35 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2007-12-24 09:33 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-12-22 07:22 145,153 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_22_01_16_38_small.dmp.zip
2007-12-21 14:21 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 14:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 14:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-17 09:45 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-12-17 09:43 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-12-17 09:40 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-12-17 09:38 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-12-17 09:33 1,857,536 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-10 18:05 1,848,320 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-10-01 10:02 137,486 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_23_23_13_23_small.dmp.zip
2007-10-01 10:02 135,342 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_27_17_15_46_small.dmp.zip
2005-04-13 15:49 13,375,268 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_04_11_20_50_58.dmp.zip
2004-10-21 15:55 7,724,518 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D25F899-68C1-49C9-8443-6E6D9B3A371C}]
2003-03-31 06:00 84480 --a------ C:\WINDOWS\System32\compob.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2003-03-31 06:00 145408]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2003-03-31 06:00 145408]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 09:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 09:07 114688]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-16 16:15 538112]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-21 00:29 344064]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
HotSync Manager.lnk - F:\XP HOME\Program Files\palm\HOTSYNC.EXE [2003-07-25 16:29:32 299008]
PC Atomic Sync.lnk.disabled [2005-04-25 21:48:44 686]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2006-05-07 14:09:06 896]
BigFix.lnk.disabled [2003-06-17 21:01:34 1540]
Device Detector 2.lnk.disabled [2005-04-29 08:12:56 1656]
Monitor.lnk - F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe [2007-08-09 20:33:55 114688]
SmartGlobe.lnk.disabled [2007-01-15 14:47:42 703]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection"=c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
"PC Alarm Clock"=F:\XPHOME~1\PROGRA~1\PCALAR~1\pac.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"SoundMan"=SOUNDMAN.EXE
"WinFaxAppPortStarter"=wfxsnt40.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 03:47]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe" [2006-06-29 17:54]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-26 20:09]
S3 PciTest;WinMTA PCI Service;C:\WINDOWS\SYSTEM32\DRIVERS\pcitest.sys [2003-11-25 23:58]
S3 PortlUSB;PortlUSB;C:\WINDOWS\System32\DRIVERS\SiriusUSB.sys []
S3 SNL320XP;SmartGlobe II;C:\WINDOWS\System32\DRIVERS\9kdUSBXP.sys [2006-07-07 14:10]
S3 VNUSB;VN Series Device;C:\WINDOWS\System32\DRIVERS\VNUSB.sys [2003-12-15 17:22]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 06:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 15:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 16:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 17:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 18:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 19:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 20:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 21:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 22:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-26 23:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 00:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-25 07:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 01:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 02:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 03:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 04:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 05:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 08:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 09:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 10:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 11:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 12:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 13:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-24 14:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-01-27 08:32:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 03:07:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\mssync20.dll 9216 bytes executable
C:\WINDOWS\system32\mssync20.exe 92392 bytes executable
C:\WINDOWS\system32\mssync20.sys 8704 bytes executable
C:\WINDOWS\system32\mssync20.tlb 5756 bytes

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mssync20"="C:\\WINDOWS\\System32\\mssync20.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\mssync2020]
"ImagePath"="\??\C:\WINDOWS\System32\mssync20.sys"
.
Completion time: 2008-01-27 3:08:57
ComboFix-quarantined-files.txt 2008-01-27 09:08:52

________________________________________________________________________________________________


Contents of ComboFix-quarantined-files.txt

2005-11-15 12:08 36 --a------ C:\Qoobox\Quarantine\I\autorun.inf.vir
2007-05-09 11:50 5330 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2007-05-20 14:57 4232 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir

________________________________________________________________________________________________

PC Tools Spyware Doctor
Date Status
1/28/2008 2:44:48 AM:968 Service Started
Spyware Doctor Service Application started
1/28/2008 2:45:18 AM:187 Scan Started
Scan Type - Intelli-Scan

1/28/2008 2:45:22 AM:953 OnGuards status
All OnGuards were Enabled
1/28/2008 2:46:06 AM:406 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - File
Risk Level - High
Infection - C:\WINDOWS\SYSTEM32\mssync20.exe

1/28/2008 2:46:06 AM:421 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - File
Risk Level - High
Infection - C:\WINDOWS\SYSTEM32\mssync20.sys

1/28/2008 2:46:06 AM:437 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - File
Risk Level - High
Infection - C:\WINDOWS\SYSTEM32\mssync20.tlb

1/28/2008 2:46:15 AM:718 Infection was detected on this computer
Threat Name - Trojan-PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

1/28/2008 2:46:36 AM:375 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-1886036211-3956415644-789767485-1005\Software\Microsoft\Windows\CurrentVersion\Explorer, mssync20

1/28/2008 2:46:36 AM:687 Infection was detected on this computer
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-1886036211-3956415644-789767485-1005\Software\Wget

1/28/2008 2:48:11 AM:218 Immunizer Results
ActiveX section has been immunized, Processed 4043 items.
1/28/2008 2:48:35 AM:500 Scan Finished
Scan Type - Intelli-Scan
Items Processed - 180220
Threats Detected - 3
Infections Detected - 6
Infections Ignored - 0

1/28/2008 2:49:02 AM:15 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-1886036211-3956415644-789767485-1005\Software\Microsoft\Windows\CurrentVersion\Explorer, mssync20

1/28/2008 2:49:02 AM:125 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-1886036211-3956415644-789767485-1005\Software\Microsoft\Windows\CurrentVersion\Explorer, mssync20

1/28/2008 2:49:02 AM:234 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - File
Risk Level - High
Infection - C:\WINDOWS\SYSTEM32\mssync20.tlb

1/28/2008 2:49:02 AM:328 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - File
Risk Level - High
Infection - C:\WINDOWS\SYSTEM32\mssync20.sys

1/28/2008 2:49:02 AM:437 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - File
Risk Level - High
Infection - C:\WINDOWS\SYSTEM32\mssync20.exe

1/28/2008 2:49:02 AM:531 Infection quarantined
Threat Name - Trojan-PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

1/28/2008 2:49:02 AM:609 Infection cleaned
Threat Name - Trojan-PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

1/28/2008 2:49:02 AM:781 Infection quarantined
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-1886036211-3956415644-789767485-1005\Software\Wget

1/28/2008 2:49:02 AM:843 Infection cleaned
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-1886036211-3956415644-789767485-1005\Software\Wget

1/28/2008 2:49:05 AM:328 Infections Quarantined/Removed Summary
Quarantined - 3
Quarantine Failed - 3
Removed - 6
Remove Failed - 0

1/28/2008 2:49:48 AM:734 Service Stopped
Spyware Doctor Service Application Stopped
1/28/2008 2:52:01 AM:640 Service Started
Spyware Doctor Service Application started
1/28/2008 2:52:01 AM:890 OnGuards status
All OnGuards were Enabled
1/28/2008 2:52:04 AM:296 Immunizer Results
ActiveX section has been immunized, Processed 52 items.
1/28/2008 2:59:03 AM:343 Service Stopped
Spyware Doctor Service Application Stopped
1/28/2008 3:01:58 AM:328 Service Started
Spyware Doctor Service Application started
1/28/2008 3:04:44 AM:921 Scan Started
Scan Type - Intelli-Scan

1/28/2008 3:05:04 AM:984 Infection was detected on this computer
Threat Name - Trojan.NirCmd
Type - Registry Value
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow

1/28/2008 3:05:04 AM:984 Infection was detected on this computer
Threat Name - Trojan.NirCmd
Type - Registry Value
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs

1/28/2008 3:05:04 AM:984 Infection was detected on this computer
Threat Name - Trojan.NirCmd
Type - Registry Key
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware

1/28/2008 3:05:05 AM:62 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020, NextInstance

1/28/2008 3:05:05 AM:78 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Service

1/28/2008 3:05:05 AM:78 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Legacy

1/28/2008 3:05:05 AM:78 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, ConfigFlags

1/28/2008 3:05:05 AM:78 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Class

1/28/2008 3:05:05 AM:78 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, ClassGUID

1/28/2008 3:05:05 AM:78 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, DeviceDesc

1/28/2008 3:05:05 AM:93 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Capabilities

1/28/2008 3:05:05 AM:93 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000\Control

1/28/2008 3:05:05 AM:93 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000

1/28/2008 3:05:05 AM:109 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020

1/28/2008 3:05:05 AM:125 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, Type

1/28/2008 3:05:05 AM:125 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, Start

1/28/2008 3:05:05 AM:125 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ErrorControl

1/28/2008 3:05:05 AM:125 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ImagePath

1/28/2008 3:05:05 AM:125 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, DisplayName

1/28/2008 3:05:05 AM:125 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Security, Security

1/28/2008 3:05:05 AM:125 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Security

1/28/2008 3:05:05 AM:140 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, 0

1/28/2008 3:05:05 AM:140 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, Count

1/28/2008 3:05:05 AM:140 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, NextInstance

1/28/2008 3:05:05 AM:140 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum

1/28/2008 3:05:05 AM:140 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020

1/28/2008 3:05:50 AM:15 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:05:50 AM:984 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:05:51 AM:718 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:05:52 AM:468 Infection was detected on this computer
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:07:34 AM:546 Infection was detected on this computer
Threat Name - Trojan.NirCmd
Type - Folder
Risk Level - Medium
Infection - C:\ComboFix\

1/28/2008 3:07:34 AM:562 Scan Finished
Scan Type - Intelli-Scan
Items Processed - 107683
Threats Detected - 2
Infections Detected - 31
Infections Ignored - 0

1/28/2008 3:08:28 AM:78 Infection quarantined
Threat Name - Trojan.NirCmd
Type - Folder
Risk Level - Medium
Infection - C:\ComboFix\

1/28/2008 3:08:28 AM:109 Infection quarantined
Threat Name - Trojan.NirCmd
Type - Registry Key
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware

1/28/2008 3:08:28 AM:125 Infection quarantined
Threat Name - Trojan.NirCmd
Type - Registry Value
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs

1/28/2008 3:08:28 AM:125 Infection quarantined
Threat Name - Trojan.NirCmd
Type - Registry Value
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow

1/28/2008 3:08:28 AM:218 Infection cleaned
Threat Name - Trojan.NirCmd
Type - Folder
Risk Level - Medium
Infection - C:\ComboFix\

1/28/2008 3:08:28 AM:234 Infection cleaned
Threat Name - Trojan.NirCmd
Type - Registry Key
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware

1/28/2008 3:08:28 AM:234 Infection cleaned
Threat Name - Trojan.NirCmd
Type - Registry Value
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs

1/28/2008 3:08:28 AM:234 Infection cleaned
Threat Name - Trojan.NirCmd
Type - Registry Value
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow

1/28/2008 3:08:28 AM:328 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:08:28 AM:343 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:08:28 AM:359 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:08:28 AM:359 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:08:28 AM:375 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020

1/28/2008 3:08:28 AM:390 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum

1/28/2008 3:08:28 AM:390 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, NextInstance

1/28/2008 3:08:28 AM:406 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, Count

1/28/2008 3:08:28 AM:453 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, 0

1/28/2008 3:08:28 AM:468 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Security

1/28/2008 3:08:28 AM:468 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Security, Security

1/28/2008 3:08:28 AM:484 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, DisplayName

1/28/2008 3:08:28 AM:484 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ImagePath

1/28/2008 3:08:28 AM:500 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ErrorControl

1/28/2008 3:08:28 AM:500 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, Start

1/28/2008 3:08:28 AM:515 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, Type

1/28/2008 3:08:28 AM:531 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020

1/28/2008 3:08:28 AM:718 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000

1/28/2008 3:08:28 AM:734 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000\Control

1/28/2008 3:08:28 AM:734 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Capabilities

1/28/2008 3:08:28 AM:750 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, DeviceDesc

1/28/2008 3:08:28 AM:750 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, ClassGUID

1/28/2008 3:08:28 AM:765 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Class

1/28/2008 3:08:28 AM:765 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, ConfigFlags

1/28/2008 3:08:28 AM:781 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Legacy

1/28/2008 3:08:28 AM:781 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Service

1/28/2008 3:08:28 AM:796 Infection quarantined
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020, NextInstance

1/28/2008 3:08:29 AM:0 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:08:29 AM:0 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:08:29 AM:0 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:08:29 AM:0 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mssync2020, ImagePath = \??\C:\WINDOWS\System32\mssync20.sys

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, NextInstance

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, Count

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Enum, 0

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Security

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020\Security, Security

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, DisplayName

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ImagePath

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, ErrorControl

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, Start

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssync2020, Type

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000\Control

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Capabilities

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, DeviceDesc

1/28/2008 3:08:29 AM:15 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, ClassGUID

1/28/2008 3:08:29 AM:31 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Class

1/28/2008 3:08:29 AM:31 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, ConfigFlags

1/28/2008 3:08:29 AM:31 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Legacy

1/28/2008 3:08:29 AM:31 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020\0000, Service

1/28/2008 3:08:29 AM:31 Infection cleaned
Threat Name - Trojan.LdPinch.L
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSSYNC2020, NextInstance

1/28/2008 3:08:31 AM:46 Infections Quarantined/Removed Summary
Quarantined - 31
Quarantine Failed - 0
Removed - 31
Remove Failed - 0

1/28/2008 3:11:59 AM:421 Service Stopped
Spyware Doctor Service Application Stopped
1/28/2008 3:18:11 AM:281 Service Started
Spyware Doctor Service Application started
1/28/2008 3:18:11 AM:500 OnGuards status
All OnGuards were Enabled
1/28/2008 3:18:13 AM:500 Immunizer Results
ActiveX section has been immunized. No items were processed.
1/28/2008 3:22:34 AM:46 Scan Started
Scan Type - Intelli-Scan

1/28/2008 3:24:14 AM:156 Scan Finished
Scan Type - Intelli-Scan
Items Processed - 152731
Threats Detected - 0
Infections Detected - 0
Infections Ignored - 0

1/28/2008 3:25:53 AM:140 Service Stopped
Spyware Doctor Service Application Stopped
1/28/2008 3:28:40 AM:515 Service Started
Spyware Doctor Service Application started
1/28/2008 3:32:04 AM:828 Scan Started
Scan Type - Intelli-Scan

1/28/2008 3:35:10 AM:437 Scan Finished
Scan Type - Intelli-Scan
Items Processed - 107723
Threats Detected - 0
Infections Detected - 0
Infections Ignored - 0

1/28/2008 3:38:04 AM:406 Service Stopped
Spyware Doctor Service Application Stopped
1/28/2008 3:44:24 AM:125 Service Started
Spyware Doctor Service Application started
1/28/2008 3:44:24 AM:250 OnGuards status
All OnGuards were Enabled
1/28/2008 3:44:26 AM:796 Immunizer Results
ActiveX section has been immunized. No items were processed.
1/28/2008 3:52:32 AM:140 OnGuard Detection Cleaned
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - usaa.com/ usaa.com

1/28/2008 4:04:13 AM:31 Scan Started
Scan Type - Intelli-Scan

1/28/2008 4:04:29 AM:109 Scan Finished
Scan Type - Intelli-Scan
Items Processed - 251
Threats Detected - 0
Infections Detected - 0
Infections Ignored - 0

1/28/2008 4:04:34 AM:687 Scan Started
Scan Type - Full Scan

1/28/2008 4:17:01 AM:31 Immunizer Results
ActiveX section has been immunized. No items were processed.
1/28/2008 4:18:40 AM:437 Immunizer Results
ActiveX section has been immunized. No items were processed.
1/28/2008 4:21:01 AM:171 Infection was detected on this computer
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE

1/28/2008 4:25:32 AM:203 Infection was detected on this computer
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\Nircmd.exe

1/28/2008 4:31:50 AM:468 Infection was detected on this computer
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\system32\swxcacls.exe

1/28/2008 5:08:11 AM:109 Scan Finished
Scan Type - Full Scan
Items Processed - 275586
Threats Detected - 1
Infections Detected - 3
Infections Ignored - 0

1/28/2008 5:58:18 AM:93 Infection quarantined
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\system32\swxcacls.exe

1/28/2008 5:58:18 AM:171 Infection quarantined
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\Nircmd.exe

1/28/2008 5:58:18 AM:421 Infection quarantined
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE

1/28/2008 5:58:18 AM:640 Infection cleaned
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\system32\swxcacls.exe

1/28/2008 5:58:18 AM:703 Infection cleaned
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\Nircmd.exe

1/28/2008 5:58:19 AM:203 Infection cleaned
Threat Name - Trojan.NirCmd
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE

1/28/2008 5:58:22 AM:359 Infections Quarantined/Removed Summary
Quarantined - 3
Quarantine Failed - 0
Removed - 3
Remove Failed - 0

1/28/2008 6:03:02 AM:453 Service Stopped
Spyware Doctor Service Application Stopped
1/28/2008 6:06:28 AM:109 Service Started
Spyware Doctor Service Application started
1/28/2008 6:06:29 AM:953 OnGuards status
All OnGuards were Enabled
1/28/2008 6:06:36 AM:953 Immunizer Results
ActiveX section has been immunized, Processed 3 items.
1/28/2008 6:26:31 AM:718 Immunizer Results
ActiveX section has been immunized. No items were processed.
1/28/2008 6:48:43 AM:187 Scan Started
Scan Type - Intelli-Scan

1/28/2008 6:50:30 AM:687 Scan Finished
Scan Type - Intelli-Scan
Items Processed - 176213
Threats Detected - 0
Infections Detected - 0
Infections Ignored - 0

________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:26 PM, on 1/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
F:\XP HOME\Program Files\palm\HOTSYNC.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\crusty.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.satx.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\XP HOME\Canon Printer\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - Startup: HotSync Manager.lnk = F:\XP HOME\Program Files\palm\HOTSYNC.EXE
O4 - Startup: PC Atomic Sync.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: Device Detector 2.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = F:\XP HOME\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
O4 - Global Startup: SmartGlobe.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\XPHOME~1\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8100 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 11 February 2008 - 09:08 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 firebaad

firebaad
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 11 February 2008 - 10:24 PM

Hello Richie,

Thanks for the response. I appreciate your efforts here.

I am still in need of help.

I cannot delete the following registry key.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSSYNC2020.

Also, under the ZA "program control" tab I find mssync20.exe with access, server, and send email rights.
I have used ZA to "kill" this program. However, on restart of comp it has all rights granted again.

Today I scanned with updated adaware se, Spybot S&D and House Call. With findings of low priority tracking cookies and housecall indicated I needed updates from MS for various vulnerabilities. I plan to update to SP2 after cleaning.
Stinger found nothing.

Thanks for any help you may be able to give.

Here is my latest hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:51 PM, on 2/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
F:\XP HOME\Program Files\palm\HOTSYNC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\crusty.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.satx.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\XP HOME\Canon Printer\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - Startup: HotSync Manager.lnk = F:\XP HOME\Program Files\palm\HOTSYNC.EXE
O4 - Startup: PC Atomic Sync.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: Device Detector 2.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = F:\XP HOME\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
O4 - Global Startup: SmartGlobe.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\XPHOME~1\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8623 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 12 February 2008 - 04:22 AM

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Do not run it just yet.

Now please go here and follow the instructions to install the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 firebaad

firebaad
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 12 February 2008 - 02:10 PM

Richie,

I followed your diections and ran combofix.

Here are the new logs.

Thanks again for taking the time to help.

ComboFix 08-02-13.1 - Chris 2008-02-12 12:23:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.694 [GMT -6:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-11 17:45 . 2008-02-11 20:49 <DIR> d-------- C:\Documents and Settings\Chris\.housecall6.6
2008-02-11 15:27 . 2008-02-11 15:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 15:27 . 2008-02-11 15:27 3,448 --a------ C:\WINDOWS\unins000.dat
2008-02-02 00:57 . 2008-02-02 00:57 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Grisoft
2008-02-01 01:08 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-01 01:03 . 2008-02-01 01:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-28 02:44 . 2008-02-12 12:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-28 02:44 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-28 02:44 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-28 02:44 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-28 02:44 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-28 02:43 . 2008-02-12 12:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-28 02:43 . 2008-01-28 02:43 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\PC Tools
2008-01-26 17:03 . 2001-08-17 22:36 112,640 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-26 17:03 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-26 17:01 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-26 17:00 . 2002-08-29 03:41 3,494,303 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-26 16:59 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-26 16:58 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-26 16:57 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-01-26 16:56 . 2002-05-14 12:08 872,557 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-25 01:01 . 2008-01-25 01:01 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Grisoft
2008-01-25 01:01 . 2008-01-25 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-25 01:01 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-24 13:12 . 2008-01-24 13:12 <DIR> d-------- C:\Program Files\Uniblue
2008-01-24 13:12 . 2008-01-24 13:12 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Uniblue
2008-01-24 12:53 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2008-01-24 12:53 . 2003-08-25 18:06 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-01-24 00:37 . 2008-01-24 00:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-23 16:53 . 2006-02-28 06:00 9,216 --a------ C:\WINDOWS\system32\winfax.dll
2008-01-23 16:53 . 2006-02-28 06:00 9,216 --a--c--- C:\WINDOWS\system32\dllcache\winfax.dll
2008-01-23 07:37 . 2008-01-23 07:37 <DIR> d-------- C:\VundoFix Backups
2008-01-22 19:46 . 2008-01-22 19:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 00:28 . 2008-01-21 00:28 <DIR> d-------- C:\Program Files\ESET
2008-01-21 00:28 . 2008-01-21 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-21 00:18 . 2007-04-19 14:43 557,295 --a------ C:\WINDOWS\_detmp.11
2008-01-21 00:18 . 2000-02-14 16:36 128,000 --a------ C:\WINDOWS\_detmp.12

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 21:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 07:38 --------- d-----w C:\Documents and Settings\Chris\Application Data\DivX
2008-02-01 07:08 --------- d-----w C:\Program Files\Java
2008-01-25 04:05 2,022,400 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-01-23 06:50 1,987,072 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-01-23 06:43 1,985,536 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-01-21 06:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-17 06:00 27,136 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-01-17 06:00 1,927,680 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-01-17 05:53 392,704 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-01-17 05:53 1,926,144 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-01-17 02:51 1,915,392 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-01-14 09:45 1,903,104 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-01-09 21:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-31 18:05 1,885,696 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2007-12-31 18:04 1,153,024 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2007-12-24 09:45 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2007-12-24 09:42 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2007-12-24 09:40 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2007-12-24 09:37 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2007-12-24 09:35 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2007-12-24 09:33 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-12-22 07:22 145,153 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_22_01_16_38_small.dmp.zip
2007-12-21 14:21 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 14:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 14:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-17 09:45 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-12-17 09:43 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-12-17 09:40 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-12-17 09:38 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-12-17 09:33 1,857,536 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-10 18:05 1,848,320 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-10-01 10:02 137,486 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_23_23_13_23_small.dmp.zip
2007-10-01 10:02 135,342 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_27_17_15_46_small.dmp.zip
2006-11-05 07:06 92,064 ----a-w C:\Documents and Settings\Chris\mqdmmdm.sys
2006-11-05 07:06 9,232 ----a-w C:\Documents and Settings\Chris\mqdmmdfl.sys
2006-11-05 07:06 79,328 ----a-w C:\Documents and Settings\Chris\mqdmserd.sys
2006-11-05 07:06 66,656 ----a-w C:\Documents and Settings\Chris\mqdmbus.sys
2006-11-05 07:06 6,208 ----a-w C:\Documents and Settings\Chris\mqdmcmnt.sys
2006-11-05 07:06 5,936 ----a-w C:\Documents and Settings\Chris\mqdmwhnt.sys
2006-11-05 07:06 4,048 ----a-w C:\Documents and Settings\Chris\mqdmcr.sys
2006-11-05 07:06 25,600 ----a-w C:\Documents and Settings\Chris\usbsermptxp.sys
2006-11-05 07:06 22,768 ----a-w C:\Documents and Settings\Chris\usbsermpt.sys
2006-08-03 08:03 36,672 ----a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2005-04-13 15:49 13,375,268 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_04_11_20_50_58.dmp.zip
2005-04-09 20:34 34,232 ----a-w C:\Documents and Settings\Laura\Application Data\GDIPFONTCACHEV1.DAT
2004-10-21 15:55 7,724,518 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 09:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 09:07 114688]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-16 16:15 538112]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-21 00:29 344064]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
HotSync Manager.lnk - F:\XP HOME\Program Files\palm\HOTSYNC.EXE [2003-07-25 16:29:32 299008]
PC Atomic Sync.lnk.disabled [2005-04-25 21:48:44 686]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2006-05-07 14:09:06 896]
BigFix.lnk.disabled [2003-06-17 21:01:34 1540]
Device Detector 2.lnk.disabled [2005-04-29 08:12:56 1656]
Microsoft Office.lnk - F:\XP HOME\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Monitor.lnk - F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe [2007-08-09 20:33:55 114688]
SmartGlobe.lnk.disabled [2007-01-15 14:47:42 703]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection"=c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
"PC Alarm Clock"=F:\XPHOME~1\PROGRA~1\PCALAR~1\pac.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"SoundMan"=SOUNDMAN.EXE
"WinFaxAppPortStarter"=wfxsnt40.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 03:47]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe" [2006-06-29 17:54]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-26 20:09]
S3 PciTest;WinMTA PCI Service;C:\WINDOWS\SYSTEM32\DRIVERS\pcitest.sys [2003-11-25 23:58]
S3 PortlUSB;PortlUSB;C:\WINDOWS\System32\DRIVERS\SiriusUSB.sys []
S3 SNL320XP;SmartGlobe II;C:\WINDOWS\System32\DRIVERS\9kdUSBXP.sys [2006-07-07 14:10]
S3 VNUSB;VN Series Device;C:\WINDOWS\System32\DRIVERS\VNUSB.sys [2003-12-15 17:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 06:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 15:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 16:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 17:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-12 18:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 19:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 20:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 21:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 22:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 23:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-12 00:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 07:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-12 01:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-12 02:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-12 03:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-12 04:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-12 05:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 08:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 09:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 10:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 11:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 12:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 13:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-11 14:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\8U6Ppm6o.exe
"2008-02-12 06:32:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 12:26:02
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-13 12:27:09
ComboFix-quarantined-files.txt 2008-02-13 18:26:58
ComboFix2.txt 2008-01-27 09:09:00

_______________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:57 PM, on 2/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
F:\XP HOME\Program Files\palm\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Trend Micro\HijackThis\crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.satx.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\XP HOME\Canon Printer\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: HotSync Manager.lnk = F:\XP HOME\Program Files\palm\HOTSYNC.EXE
O4 - Startup: PC Atomic Sync.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: Device Detector 2.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = F:\XP HOME\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
O4 - Global Startup: SmartGlobe.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\XPHOME~1\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8018 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 13 February 2008 - 02:51 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\_detmp.11
C:\WINDOWS\_detmp.12


Return to OTMoveIt, right click on the "Paste Custom List of Files/Folders to Move" window under the "yellow" bar at the bottom,and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt by clicking on the "Exit" button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Click Start/Run,type CMD then press Ok.
At the command prompt copy and paste the following command in bold text below,then press Enter:
DEL C:\WINDOWS\Tasks\At*.job
Then exit command prompt.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.It does not provide an option to clean/disinfect,i need to see the scan results.
Now click on the Save as Text button.
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 firebaad

firebaad
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 13 February 2008 - 07:20 PM

Hi Richie,

I followed your latest intructions. The logs will follow.

Here is what's going on with my machine:

1) I still have mssync20.exe in the program control list in ZA. When I remove it, it comes back after restart.
2) A new IE icon appeared on my desktop sometime within the last 2 days. I now have 2. I first noticed it after running combofix. Should I delete this?

3) I still have the following registry entries associated with mssync20.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSSYNC2020

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
name: 001 type: REG_SZ value: mssync

HKEY_USERS\S-1-5-21-1886036211-3956415644-789767485-1005 \Software\Microsoft\Search Assistant\ACMru\5603
name: 001 type: REG_SZ value: mssync

Thanks again for your help. Your efforts are greatly appreciated.


[Custom Input]
< C:\WINDOWS\_detmp.11 >
C:\WINDOWS\_detmp.11 moved successfully.
< C:\WINDOWS\_detmp.12 >
C:\WINDOWS\_detmp.12 moved successfully.

OTMoveIt2 v1.0.19 log created on 02142008_071125

___________________________________________________________________________________________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2008 at 07:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:32:26

Memory items scanned : 377
Memory threats detected : 0
Registry items scanned : 6415
Registry threats detected : 0
File items scanned : 33762
File threats detected : 1

Trojan.Downloader-Gen/JA
C:\JA.EXE

____________________________________________________________________________________________________

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 4:25:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/02/2008
Kaspersky Anti-Virus database records: 521857
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 127978
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 03:42:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\Chris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\AntiPhishing\FDE76B9D-4657-4B28-AE87-04EFD23D4EB6.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DF302D.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jacob\Local Settings\Temp\AntiPhishing\FDE76B9D-4657-4B28-AE87-04EFD23D4EB6.dat Object is locked skipped
C:\Documents and Settings\Laura\Local Settings\Temp\AntiPhishing\FDE76B9D-4657-4B28-AE87-04EFD23D4EB6.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MAINDESKTOP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\SFIFHAXQ.LNG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\TEMP\ZLT06e3f.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT06e70.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

_______________________________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:59 PM, on 2/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
F:\XP HOME\Program Files\palm\HOTSYNC.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.satx.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\XP HOME\Canon Printer\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: HotSync Manager.lnk = F:\XP HOME\Program Files\palm\HOTSYNC.EXE
O4 - Startup: PC Atomic Sync.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: Device Detector 2.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = F:\XP HOME\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
O4 - Global Startup: SmartGlobe.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\XPHOME~1\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8425 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 13 February 2008 - 08:16 PM

Please download Rootchk.exe and save to your desktop:
Important:- Temporarily disable any real-time monitoring programs (see note below).
Disconnect from the Internet.
Double-click on rootchk.exe to run the program.
A command prompt window will open as the scan begins and then close.
When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
Copy and paste the contents of the log into your next reply.
Re-enable active protection on any program you temporarily disabled.

Note:
To avoid false positives,it is important that you temporarily disable ZoneAlarm Pro firewall,or any other security program that protects your registry (Spybot's Teatimer,Ad-Aware's Adwatch, Prevx, etc) before running the rootchk scan.
Click on this link to see a list of other programs that should be disabled.


Download\unzip to your desktop AVG Anti-Rootkit:
http://free.grisoft.com/softw/70free/setup...up-1.1.0.42.exe

Double click avgarkt-setup-1.1.0.42.exe to install,by default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
Accept the license and follow the prompts to install.
You will be asked to reboot to finish the installation so click "Finish".
After rebooting,launch AVG by double clicking on the icon for AVG Anti-Rootkit on your desktop,click on the 'Search for Rootkits' tab.
Then click on 'Perform in-depth search'.
You will see the progress bar moving from left to right.
The scan will take some time so be patient and let it finish.
When the scan has finished, a small window will open so you can view the results.
Right click over those results and select "Save Result To File".
By default the file will be saved with a .csv extension. (You can use Notepad to open the .cvs file)
Copy and paste those results into your next reply.
If anything was found, click "Remove selected items"
Note:
Close all open windows,programs,DO NOT USE the computer while scanning.
If the scan is performed while the computer is in use,false positives may appear in the scan results.
Posted Image
Posted Image

#9 firebaad

firebaad
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 14 February 2008 - 02:56 AM

Richie,

I followed your last instructions.

AVG Anti-Rootkit found nothing. The screen that followed both the 'Search for Rootkits' and
the 'Perform in-depth search' scans said 'Congratulations! There were no rootkits found on your computer.'

The following is the Rootchk log.


********************************* ROOTCHK-(28-12-07)-LOG, by ejvindh
Fri 02/15/2008 0:01:45.20

NOTICE!! Rootchk is not being updated anymore, and is thus gradually getting outdated.
Last update was made 28-12-07

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 00:01:48
Windows 5.1.2600 Service Pack 1
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 14 February 2008 - 04:43 AM

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Delete the following files if present:

C:\WINDOWS\system32\mssync20.exe
C:\WINDOWS\system32\mssync20.sys
C:\WINDOWS\system32\mssync20.tlb
C:\WINDOWS\system32\mssync20.dll

Then,go to Start/Run,type the following in bold text below into the 'Open:' space,then press Enter
sc delete mssync2020


Restart your pc normally.

Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#11 firebaad

firebaad
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 15 February 2008 - 05:39 PM

Hello again,

I followed your latest intructions.

These files were not found.
C:\WINDOWS\system32\mssync20.exe
C:\WINDOWS\system32\mssync20.sys
C:\WINDOWS\system32\mssync20.tlb
C:\WINDOWS\system32\mssync20.dll

Here are my latest logs.

ComboFix 08-02-13.1 - Chris 2008-02-16 15:56:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.688 [GMT -6:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 10:05 . 2008-02-15 10:05 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Grisoft
2008-02-15 00:33 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-14 11:09 . 2008-02-14 11:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-14 11:09 . 2008-02-14 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-14 07:16 . 2008-02-14 17:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 07:16 . 2008-02-14 07:16 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-02-14 07:16 . 2008-02-14 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 07:15 . 2008-02-14 07:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 07:11 . 2008-02-14 07:11 <DIR> d-------- C:\_OTMoveIt
2008-02-11 17:45 . 2008-02-11 20:49 <DIR> d-------- C:\Documents and Settings\Chris\.housecall6.6
2008-02-11 15:27 . 2008-02-11 15:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 15:27 . 2008-02-11 15:27 3,448 --a------ C:\WINDOWS\unins000.dat
2008-02-02 00:57 . 2008-02-02 00:57 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Grisoft
2008-02-01 01:08 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-01 01:03 . 2008-02-01 01:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-28 02:44 . 2008-02-13 17:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-28 02:44 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-28 02:44 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-28 02:44 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-28 02:44 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-28 02:43 . 2008-02-12 12:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-28 02:43 . 2008-01-28 02:43 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\PC Tools
2008-01-26 17:03 . 2001-08-17 22:36 112,640 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-26 17:03 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-26 17:01 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-26 17:00 . 2002-08-29 03:41 3,494,303 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-26 16:59 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-26 16:58 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-26 16:57 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-01-26 16:56 . 2002-05-14 12:08 872,557 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-25 01:01 . 2008-01-25 01:01 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Grisoft
2008-01-25 01:01 . 2008-01-25 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-25 01:01 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-24 13:12 . 2008-01-24 13:12 <DIR> d-------- C:\Program Files\Uniblue
2008-01-24 13:12 . 2008-01-24 13:12 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Uniblue
2008-01-24 12:53 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2008-01-24 12:53 . 2003-08-25 18:06 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-01-24 00:37 . 2008-01-24 00:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-23 16:53 . 2006-02-28 06:00 9,216 --a------ C:\WINDOWS\system32\winfax.dll
2008-01-23 16:53 . 2006-02-28 06:00 9,216 --a--c--- C:\WINDOWS\system32\dllcache\winfax.dll
2008-01-23 07:37 . 2008-01-23 07:37 <DIR> d-------- C:\VundoFix Backups
2008-01-22 19:46 . 2008-01-22 19:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 00:28 . 2008-01-21 00:28 <DIR> d-------- C:\Program Files\ESET
2008-01-21 00:28 . 2008-01-21 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 21:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 07:38 --------- d-----w C:\Documents and Settings\Chris\Application Data\DivX
2008-02-01 07:08 --------- d-----w C:\Program Files\Java
2008-01-25 04:05 2,022,400 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-01-23 06:50 1,987,072 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-01-23 06:43 1,985,536 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-01-21 06:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-17 06:00 27,136 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-01-17 06:00 1,927,680 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-01-17 05:53 392,704 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-01-17 05:53 1,926,144 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-01-17 02:51 1,915,392 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-01-14 09:45 1,903,104 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-01-09 21:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-31 18:05 1,885,696 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2007-12-31 18:04 1,153,024 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2007-12-24 09:45 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2007-12-24 09:42 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2007-12-24 09:40 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2007-12-24 09:37 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2007-12-24 09:35 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2007-12-24 09:33 1,872,896 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-12-22 07:22 145,153 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_22_01_16_38_small.dmp.zip
2007-12-21 14:21 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 14:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 14:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-17 09:45 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-12-17 09:43 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-12-17 09:40 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-12-17 09:38 1,858,048 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-12-17 09:33 1,857,536 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-10 18:05 1,848,320 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-10-01 10:02 137,486 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_23_23_13_23_small.dmp.zip
2007-10-01 10:02 135,342 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_27_17_15_46_small.dmp.zip
2006-11-05 07:06 92,064 ----a-w C:\Documents and Settings\Chris\mqdmmdm.sys
2006-11-05 07:06 9,232 ----a-w C:\Documents and Settings\Chris\mqdmmdfl.sys
2006-11-05 07:06 79,328 ----a-w C:\Documents and Settings\Chris\mqdmserd.sys
2006-11-05 07:06 66,656 ----a-w C:\Documents and Settings\Chris\mqdmbus.sys
2006-11-05 07:06 6,208 ----a-w C:\Documents and Settings\Chris\mqdmcmnt.sys
2006-11-05 07:06 5,936 ----a-w C:\Documents and Settings\Chris\mqdmwhnt.sys
2006-11-05 07:06 4,048 ----a-w C:\Documents and Settings\Chris\mqdmcr.sys
2006-11-05 07:06 25,600 ----a-w C:\Documents and Settings\Chris\usbsermptxp.sys
2006-11-05 07:06 22,768 ----a-w C:\Documents and Settings\Chris\usbsermpt.sys
2006-08-03 08:03 36,672 ----a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2005-04-13 15:49 13,375,268 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_04_11_20_50_58.dmp.zip
2005-04-09 20:34 34,232 ----a-w C:\Documents and Settings\Laura\Application Data\GDIPFONTCACHEV1.DAT
2004-10-21 15:55 7,724,518 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 09:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 09:07 114688]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-16 16:15 538112]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-21 00:29 344064]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
HotSync Manager.lnk - F:\XP HOME\Program Files\palm\HOTSYNC.EXE [2003-07-25 16:29:32 299008]
PC Atomic Sync.lnk.disabled [2005-04-25 21:48:44 686]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2006-05-07 14:09:06 896]
BigFix.lnk.disabled [2003-06-17 21:01:34 1540]
Device Detector 2.lnk.disabled [2005-04-29 08:12:56 1656]
Microsoft Office.lnk - F:\XP HOME\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Monitor.lnk - F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe [2007-08-09 20:33:55 114688]
SmartGlobe.lnk.disabled [2007-01-15 14:47:42 703]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection"=c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
"PC Alarm Clock"=F:\XPHOME~1\PROGRA~1\PCALAR~1\pac.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"SoundMan"=SOUNDMAN.EXE
"WinFaxAppPortStarter"=wfxsnt40.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 03:47]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe" [2006-06-29 17:54]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-26 20:09]
S3 PciTest;WinMTA PCI Service;C:\WINDOWS\SYSTEM32\DRIVERS\pcitest.sys [2003-11-25 23:58]
S3 PortlUSB;PortlUSB;C:\WINDOWS\System32\DRIVERS\SiriusUSB.sys []
S3 SNL320XP;SmartGlobe II;C:\WINDOWS\System32\DRIVERS\9kdUSBXP.sys [2006-07-07 14:10]
S3 VNUSB;VN Series Device;C:\WINDOWS\System32\DRIVERS\VNUSB.sys [2003-12-15 17:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 21:32:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 15:58:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 15:59:54
ComboFix-quarantined-files.txt 2008-02-16 21:59:44
ComboFix2.txt 2008-02-13 18:27:11
ComboFix3.txt 2008-01-27 09:09:00
_________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:27 PM, on 2/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
F:\XP HOME\Program Files\palm\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.satx.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\XP HOME\Canon Printer\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: HotSync Manager.lnk = F:\XP HOME\Program Files\palm\HOTSYNC.EXE
O4 - Startup: PC Atomic Sync.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: Device Detector 2.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = F:\XP HOME\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = F:\XP HOME\Program Files\Sandisk Transfermate\SD Monitor.exe
O4 - Global Startup: SmartGlobe.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\XPHOME~1\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\XP HOME\Canon Printer\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - F:\XP HOME\Program Files\Adobe\Photoshop Elemenets 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8425 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 15 February 2008 - 07:21 PM

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp


Return to OTMoveIt, right click on the "Paste Custom List of Files/Folders to Move" window under the "yellow" bar at the bottom,and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt by clicking on the "Exit" button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download RegSearch by Bobbi Flekman.
Right click on your desktop 'New',select 'Folder'.
Right click on that new folder and select 'Rename',rename it to RegSearch
Unzip/extract the contents of regsearch.zip to the RegSearch folder.
Open the RegSearch folder and double-click the icon RegSearch.exe to launch the program.
Copy and paste the following string to search for in the top space,then click "OK":
mssync20
After completion Notepad will be opened with all the found instances of the string.
The resulting file is saved in the same location as RegSearch.exe.
Copy and paste the entire search results into your next reply.

Let me know whats happening now please.
Posted Image
Posted Image

#13 firebaad

firebaad
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 16 February 2008 - 12:11 PM

Richie,

Heres what's going on.

After I ran combofix the last time a new IE icon appeared on my desktop just as before. Is that normal?
mssync20.exe is still in the program control list in ZA. When I remove it, it comes back.

Here are the logs.
I stepped outside of your instructions and had regsearch look for mssync.

[Custom Input]
< C:\WINDOWS\Internet Logs\xDB17.tmp >
C:\WINDOWS\Internet Logs\xDB17.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB16.tmp >
C:\WINDOWS\Internet Logs\xDB16.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB15.tmp >
C:\WINDOWS\Internet Logs\xDB15.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB13.tmp >
C:\WINDOWS\Internet Logs\xDB13.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB14.tmp >
C:\WINDOWS\Internet Logs\xDB14.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB11.tmp >
C:\WINDOWS\Internet Logs\xDB11.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB12.tmp >
C:\WINDOWS\Internet Logs\xDB12.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB10.tmp >
C:\WINDOWS\Internet Logs\xDB10.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDBF.tmp >
C:\WINDOWS\Internet Logs\xDBF.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDBE.tmp >
C:\WINDOWS\Internet Logs\xDBE.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDBD.tmp >
C:\WINDOWS\Internet Logs\xDBD.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDBC.tmp >
C:\WINDOWS\Internet Logs\xDBC.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDBB.tmp >
C:\WINDOWS\Internet Logs\xDBB.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDBA.tmp >
C:\WINDOWS\Internet Logs\xDBA.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB9.tmp >
C:\WINDOWS\Internet Logs\xDB9.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB8.tmp >
C:\WINDOWS\Internet Logs\xDB8.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB7.tmp >
C:\WINDOWS\Internet Logs\xDB7.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB6.tmp >
C:\WINDOWS\Internet Logs\xDB6.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB5.tmp >
C:\WINDOWS\Internet Logs\xDB5.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB4.tmp >
C:\WINDOWS\Internet Logs\xDB4.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB3.tmp >
C:\WINDOWS\Internet Logs\xDB3.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB2.tmp >
C:\WINDOWS\Internet Logs\xDB2.tmp moved successfully.
< C:\WINDOWS\Internet Logs\xDB1.tmp >
C:\WINDOWS\Internet Logs\xDB1.tmp moved successfully.

OTMoveIt2 v1.0.19 log created on 02172008_102227

__________________________________________________________________________________________



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 2/17/2008 10:51:05 AM for strings:
; 'mssync'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSSYNC2020]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSSYNC2020\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSSYNC2020\0000]
"Service"="mssync2020"
"DeviceDesc"="mssync2020"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="mssync"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Enum\\Root\\LEGACY_MSSYNC2020"

; End Of The Log...

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 16 February 2008 - 12:35 PM

Please download Malwarebytes Anti-Malware:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Backup the registry by doing the following.
Click on Start>Run,copy and paste the following bold text into the 'Open:' space,then press Ok.
regedit /e c:\registrybackup.reg
It won't appear to be doing anything,that's normal.
Your mouse pointer may have an hour glass along side it for a minute or so.
Please be patient and continue when the hour glass disappears.


Download RegSeeker 1.55.zip
Right click on a blank area of your desktop,click 'New'>'Folder',rename it 'RegSeeker'.
Unzip/extract RegSeeker.zip to that new folder.
Launch RegSeeker.
Click on 'Find in Registry' at the top.
In the 'Search for:' space,copy and paste:
MSSYNC2020
Then press 'Search!'.
Once the search has finished,highlight any one entry with a single left click.
Then click on 'Select' at the bottom.
In the menu that pops up click on 'Select all'.
Now right click anywhere on the yellow highlighted area 'Delete selected items'.
Once they've all been deleted,search again.
Keep searching and deleting until all the MSSYNC2020 entries are gone.
Now click on 'Auto Clean' at the bottom,then click on 'GO!' in the opening window.
Close the program when it's finished.
Posted Image
Posted Image

#15 firebaad

firebaad
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 16 February 2008 - 05:25 PM

Hello again,

Thanks for the quick replies.

RegSeeker found 2 instances of mssync2020 in the registry and I had Regseeker delete them.
I didn't copy the strings it deleted and I haven't found a log for them. So, I can't include them in this reply.
I then ran 'autoclean.'
Unfortunately, the key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSSYNC2020
was not one of those found and still remains in the registry. Also, mssync2020.exe is still reported in ZA with access to trusted zone. This is after I removed it from the ZA program control list once again and restarted the PC.


Malwarebytes' Anti-Malware 1.03
Database version: 367

Scan type: Quick Scan
Objects scanned: 28531
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users