Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search-daily Bho Infection


  • Please log in to reply
26 replies to this topic

#1 Squid4hire

Squid4hire

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 24 February 2008 - 07:14 PM

Hi,

I have been getting redirected on my Google searches and have not been able to correct it. I have tried all of the spyware solutions and none have helped. Here is the hijack results, Can anyone help me???


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:25 PM, on 2/24/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {4FEC7E57-72CF-4ACE-A278-ADEABC368FCB} - c:\winnt\system32\dhcpmont.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E4A62993-500C-45E4-A8D5-D5CC6B29AB75} - C:\WINNT\system32\adsntj.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [lkzmiov0] C:\WINNT\system32\lkzmiov0.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [lkzmiov0] C:\WINNT\system32\lkzmiov0.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3662BD4D-ECEF-4050-BACB-3EF6788554B3}: NameServer = 66.92.64.2,216.231.41.2
O20 - Winlogon Notify: lvvvfizk - C:\WINNT\SYSTEM32\dhcpmont.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4857 bytes

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:07 AM

Posted 09 March 2008 - 10:35 AM

Hello Squid4hire and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 Squid4hire

Squid4hire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 10 March 2008 - 06:55 PM

Johannes,

Thanks for getting back to me. I have been getting redirected from Google search results (at first search-daily, the differing sites) and now get annoying malware pop-ups. I have done everything in preparation with no luck. Anything you can do would be helpful! This is my most recent HJT scan. Let me know what you think........


Thank you!!

Neil

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:05 PM, on 3/10/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {4FEC7E57-72CF-4ACE-A278-ADEABC368FCB} - c:\winnt\system32\dhcpmont.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E4A62993-500C-45E4-A8D5-D5CC6B29AB75} - C:\WINNT\system32\adsntj.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3662BD4D-ECEF-4050-BACB-3EF6788554B3}: NameServer = 66.92.64.2,216.231.41.2
O20 - Winlogon Notify: lvvvfizk - C:\WINNT\SYSTEM32\dhcpmont.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4561 bytes

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:07 AM

Posted 11 March 2008 - 12:24 PM

Hey Neil,

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Step #1

I see that you are using the ZoneAlarm Firewall which is good. However, ZoneAlarm recently started to pre-check the installation of a Asktoolbar, which is not recommended. The Toolbar is not recommended... You can read more about it here.)

If you decide not to use it, you will have to uninstall ZoneAlarm and re-install it, making sure you untick the Toolbar option.

Step #2

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Step #3

Please post back with the ComboFix and a fresh HijackThis log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 Squid4hire

Squid4hire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 11 March 2008 - 07:30 PM

Johannes,

I have run combofix and included the log. There doesn't appear to be any pop-ups yet (hopeful). Thanks for your help and let me know what I need to do next........

ComboFix 08-03-06.2 - nharrigan 03/11/2008 20:04:33.1 - NTFSx86
Running from: C:\Documents and Settings\nharrigan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\config\SAM.SAV
C:\WINNT\system32\dhcpmont.dll
C:\WINNT\Tasks.\At1.job
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AFNZBKPV
-------\afnzbkpv


((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Documents and Settings\nharrigan\Application Data\Malwarebytes
2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 19:03 . 08-02-24 19:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 18:06 . 08-02-24 18:06 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-24 18:03 . 08-02-24 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-24 18:02 . 07-11-14 16:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-02-24 18:02 . 04-04-27 04:40 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2008-02-24 18:02 . 08-02-24 18:07 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-02-24 18:00 . 08-02-24 18:00 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-24 17:58 . 08-03-11 20:01 <DIR> d-a------ C:\WINNT\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 01:08 86,528 ----a-w C:\WINNT\system32\dhcpmont.dll
2008-03-11 01:06 32,256 ----a-w C:\WINNT\Internet Logs\xDBA.tmp
2008-03-07 02:06 26,112 ----a-w C:\WINNT\Internet Logs\xDB8.tmp
2008-03-07 02:06 1,332,224 ----a-w C:\WINNT\Internet Logs\xDB9.tmp
2008-03-07 01:55 98,048 ----a-w C:\WINNT\system32\adsntj.dll
2008-03-04 02:40 26,112 ----a-w C:\WINNT\Internet Logs\xDB6.tmp
2008-03-04 02:40 1,331,712 ----a-w C:\WINNT\Internet Logs\xDB7.tmp
2008-03-04 02:16 48,640 ----a-w C:\WINNT\Internet Logs\xDB5.tmp
2008-03-04 01:36 --------- d-----w C:\Documents and Settings\nharrigan\Application Data\AVG7
2008-03-02 23:40 41,984 ----a-w C:\WINNT\Internet Logs\xDB3.tmp
2008-03-02 23:40 1,320,448 ----a-w C:\WINNT\Internet Logs\xDB4.tmp
2008-02-25 00:47 62,976 ----a-w C:\WINNT\Internet Logs\xDB1.tmp
2008-02-25 00:47 1,313,280 ----a-w C:\WINNT\Internet Logs\xDB2.tmp
2008-02-24 22:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 21:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 01:33 14,348 ----a-w C:\WINNT\system32\lkzmiov0.exe
2008-01-17 02:08 --------- d---a-w C:\Program Files\microsoft frontpage
2008-01-17 02:06 --------- d---a-w C:\Program Files\ACT
2008-01-17 02:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-17 01:19 499,712 ----a-w C:\WINNT\system32\msvcp71.dll
2008-01-17 01:19 26,944 ----a-w C:\WINNT\system32\drivers\avg7rsnt.sys
2008-01-17 01:19 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2008-01-17 00:43 348,160 ----a-w C:\WINNT\system32\msvcr71.dll
2008-01-17 00:43 246,545 ----a-w C:\WINNT\system32\libssl32.dll
2008-01-17 00:43 1,188,375 ----a-w C:\WINNT\system32\libeay32.dll
2006-12-05 00:36 64,992 -c--a-w C:\Documents and Settings\nharrigan\Application Data\GDIPFONTCACHEV1.DAT
2003-08-28 17:52 271 ---h--w C:\Program Files\desktop.ini
2003-08-28 17:52 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FEC7E57-72CF-4ACE-A278-ADEABC368FCB}]
c:\winnt\system32\dhcpmont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4A62993-500C-45E4-A8D5-D5CC6B29AB75}]
08-03-06 20:55 98048 --a------ C:\WINNT\system32\adsntj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
08-02-24 18:06 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [08-02-24 18:06 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [08-02-24 18:06 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSI Configuration"="msiconf.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [99-11-30 18:40 86288 C:\WINNT\system32\tp4mon.exe]
"Synchronization Manager"="mobsync.exe" [99-12-07 07:00 111376 C:\WINNT\system32\mobsync.exe]
"SoundFusion"="cwcprops.cpl" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-11-14 16:05 919016]
"combofix"="C:\WINNT\system32\CF21441.exe" [03-09-20 19:45 236304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-01-16 20:19 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [99-12-07 07:00 186640]

C:\Documents and Settings\nharrigan\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2001-05-31 09:06:20 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-09-11 23:00:00 111376]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-01-16 20:19 ]
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [00-04-26 16:59 ]
R3 cwcspud3;Crystal SoundFusion™ SPuD3 Driver;C:\WINNT\system32\drivers\cwcspud3.sys [99-11-11 14:13 ]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;C:\WINNT\system32\DRIVERS\EL556ND5.sys [00-02-24 19:48 ]
S1 LSMBATT;LSMBATT;C:\WINNT\system32\drivers\LSMBATT.SYS []
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 07:00 ]
S2 BulkUsb;Bantam Bulk USB Driver;C:\WINNT\system32\Drivers\bantam.sys [01-11-30 07:32 ]
S2 Generic Host Process for Win32 Service;Generic Host Process for Win32 Service;"C:\WINNT\svchost.exe" []
S3 apusbsnt;AirPrime USB Modem Device Driver;C:\WINNT\system32\DRIVERS\apusbsnt.sys []
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-01 22:10 ]
S3 FW1;SecuRemote Miniport;C:\WINNT\system32\DRIVERS\fw.sys []
S3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [02-07-22 14:05 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 20:17:31
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\System32\ibmpmsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
.
**************************************************************************
.
Completion time: 2008-03-11 20:23:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 01:23:08
.
2008-02-24 23:26:19 --- E O F ---

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:07 AM

Posted 12 March 2008 - 02:26 PM

Hey Squid4hire,

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    Suspect::[42]
    C:\WINNT\system32\adsntj.dll
    C:\WINNT\system32\lkzmiov0.exe
    c:\winnt\system32\dhcpmont.dll
    
    File::
    C:\WINNT\Internet Logs\xDBA.tmp
    C:\WINNT\Internet Logs\xDB8.tmp
    C:\WINNT\Internet Logs\xDB9.tmp
    C:\WINNT\Internet Logs\xDB6.tmp
    C:\WINNT\Internet Logs\xDB7.tmp
    C:\WINNT\Internet Logs\xDB5.tmp
    C:\WINNT\Internet Logs\xDB3.tmp
    C:\WINNT\Internet Logs\xDB4.tmp
    C:\WINNT\Internet Logs\xDB1.tmp
    C:\WINNT\Internet Logs\xDB2.tmp
    
    Registry::
    [-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

Please post back with the ComboFix log and the HijackThis log you forgot to post in your last response. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 Squid4hire

Squid4hire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 12 March 2008 - 08:00 PM

Johannes,

Followed your directions. Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54, on 2008-03-12
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {25471336-0EE1-4508-A348-CB2C9A12F8F9} - C:\WINNT\system32\adsntj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {718FAB68-4787-4E63-A40A-029DF5B34440} - C:\WINNT\system32\adsntj.dll
O2 - BHO: (no name) - {E4A62993-500C-45E4-A8D5-D5CC6B29AB75} - C:\WINNT\system32\adsntj.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {F3933C47-C8E7-4B38-B2C5-9C3ECCF97775} - C:\WINNT\system32\adsntj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3662BD4D-ECEF-4050-BACB-3EF6788554B3}: NameServer = 66.92.64.2,216.231.41.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4990 bytes


Also the Combofix log:
ComboFix 08-03-06.2 - nharrigan 2008-03-12 20:27:33.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.12 [GMT -5:00]
Running from: C:\Documents and Settings\nharrigan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nharrigan\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\Internet Logs\xDB1.tmp
C:\WINNT\Internet Logs\xDB2.tmp
C:\WINNT\Internet Logs\xDB3.tmp
C:\WINNT\Internet Logs\xDB4.tmp
C:\WINNT\Internet Logs\xDB5.tmp
C:\WINNT\Internet Logs\xDB6.tmp
C:\WINNT\Internet Logs\xDB7.tmp
C:\WINNT\Internet Logs\xDB8.tmp
C:\WINNT\Internet Logs\xDB9.tmp
C:\WINNT\Internet Logs\xDBA.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\Internet Logs\xDB1.tmp
C:\WINNT\Internet Logs\xDB2.tmp
C:\WINNT\Internet Logs\xDB3.tmp
C:\WINNT\Internet Logs\xDB4.tmp
C:\WINNT\Internet Logs\xDB5.tmp
C:\WINNT\Internet Logs\xDB6.tmp
C:\WINNT\Internet Logs\xDB7.tmp
C:\WINNT\Internet Logs\xDB8.tmp
C:\WINNT\Internet Logs\xDB9.tmp
C:\WINNT\Internet Logs\xDBA.tmp
C:\WINNT\system32\msiconf.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 20:27 . 08-03-12 20:27 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_35c.dat
2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Documents and Settings\nharrigan\Application Data\Malwarebytes
2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 19:03 . 08-02-24 19:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 18:06 . 08-02-24 18:06 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-24 18:03 . 08-02-24 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-24 18:02 . 07-11-14 16:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-02-24 18:02 . 04-04-27 04:40 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2008-02-24 18:02 . 08-02-24 18:07 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-02-24 18:00 . 08-02-24 18:00 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-24 17:58 . 08-03-12 20:28 <DIR> d-a------ C:\WINNT\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 01:55 38,912 ----a-w C:\WINNT\Internet Logs\xDBB.tmp
2008-03-12 01:55 1,339,904 ----a-w C:\WINNT\Internet Logs\xDBC.tmp
2008-03-07 01:55 98,048 ----a-w C:\WINNT\system32\adsntj.dll
2008-03-04 01:36 --------- d-----w C:\Documents and Settings\nharrigan\Application Data\AVG7
2008-02-24 22:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 21:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 01:33 14,348 ----a-w C:\WINNT\system32\lkzmiov0.exe
2008-01-17 02:08 --------- d---a-w C:\Program Files\microsoft frontpage
2008-01-17 02:06 --------- d---a-w C:\Program Files\ACT
2008-01-17 02:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-17 01:19 499,712 ----a-w C:\WINNT\system32\msvcp71.dll
2008-01-17 01:19 26,944 ----a-w C:\WINNT\system32\drivers\avg7rsnt.sys
2008-01-17 01:19 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2008-01-17 00:43 348,160 ----a-w C:\WINNT\system32\msvcr71.dll
2008-01-17 00:43 246,545 ----a-w C:\WINNT\system32\libssl32.dll
2008-01-17 00:43 1,188,375 ----a-w C:\WINNT\system32\libeay32.dll
2006-12-05 00:36 64,992 -c--a-w C:\Documents and Settings\nharrigan\Application Data\GDIPFONTCACHEV1.DAT
2003-08-28 17:52 271 ---h--w C:\Program Files\desktop.ini
2003-08-28 17:52 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{718FAB68-4787-4E63-A40A-029DF5B34440}]
08-03-06 20:55 98048 --a------ C:\WINNT\system32\adsntj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4A62993-500C-45E4-A8D5-D5CC6B29AB75}]
08-03-06 20:55 98048 --a------ C:\WINNT\system32\adsntj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
08-02-24 18:06 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSI Configuration"="msiconf.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [99-11-30 18:40 86288 C:\WINNT\system32\tp4mon.exe]
"Synchronization Manager"="mobsync.exe" [99-12-07 07:00 111376 C:\WINNT\system32\mobsync.exe]
"SoundFusion"="cwcprops.cpl" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-01-16 20:19 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [99-12-07 07:00 186640]

C:\Documents and Settings\nharrigan\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2001-05-31 09:06:20 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-09-11 23:00:00 111376]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-01-16 20:19 ]
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [00-04-26 16:59 ]
R3 cwcspud3;Crystal SoundFusion™ SPuD3 Driver;C:\WINNT\system32\drivers\cwcspud3.sys [99-11-11 14:13 ]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;C:\WINNT\system32\DRIVERS\EL556ND5.sys [00-02-24 19:48 ]
S1 LSMBATT;LSMBATT;C:\WINNT\system32\drivers\LSMBATT.SYS []
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 07:00 ]
S2 BulkUsb;Bantam Bulk USB Driver;C:\WINNT\system32\Drivers\bantam.sys [01-11-30 07:32 ]
S2 Generic Host Process for Win32 Service;Generic Host Process for Win32 Service;"C:\WINNT\svchost.exe" []
S3 apusbsnt;AirPrime USB Modem Device Driver;C:\WINNT\system32\DRIVERS\apusbsnt.sys []
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-01 22:10 ]
S3 FW1;SecuRemote Miniport;C:\WINNT\system32\DRIVERS\fw.sys []
S3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [02-07-22 14:05 ]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 20:32:36
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-12 20:35:00
ComboFix-quarantined-files.txt 2008-03-13 01:34:42
ComboFix2.txt 2008-03-12 01:23:24
.
2008-02-24 23:26:19 --- E O F ---


Thanks for your help!. I submitted the zip file but I think I forgot the link to this topic. Do you need me to resubmit this again?


Neil

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:07 AM

Posted 13 March 2008 - 02:06 PM

Hey Neil,

Thanks for your help!. I submitted the zip file but I think I forgot the link to this topic. Do you need me to resubmit this again?

No. Its ok. I only got your files submited over night, so no big deal.

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\WINNT\system32\adsntj.dll
    C:\WINNT\system32\lkzmiov0.exe
    c:\winnt\system32\dhcpmont.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{718FAB68-4787-4E63-A40A-029DF5B34440}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4A62993-500C-45E4-A8D5-D5CC6B29AB75}]
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #2

Please update your Malwarebytes' Antimalware and do a scan with it.

Step #3

Please post back with the ComboFix log and the Malwarebytes' Antimalware log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 Squid4hire

Squid4hire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 13 March 2008 - 07:16 PM

Johannes,

Here is the malware log:
Malwarebytes' Anti-Malware 1.08
Database version: 489

Scan type: Full Scan (C:\|)
Objects scanned: 46873
Time elapsed: 21 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and the CF logfile:
ComboFix 08-03-06.2 - nharrigan 2008-03-13 7:16:39.3 - NTFSx86
Running from: C:\Documents and Settings\nharrigan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nharrigan\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\adsntj.dll
c:\winnt\system32\dhcpmont.dll
C:\WINNT\system32\lkzmiov0.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\adsntj.dll
C:\WINNT\system32\lkzmiov0.exe
C:\WINNT\system32\msiconf.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-13 07:16 . 08-03-13 07:16 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_364.dat
2008-03-12 21:33 . 07-11-14 16:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-03-12 21:20 . 08-03-12 21:20 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Documents and Settings\nharrigan\Application Data\Malwarebytes
2008-03-03 20:53 . 08-03-03 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 19:03 . 08-02-24 19:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 18:06 . 08-02-24 18:06 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-24 18:03 . 08-02-24 18:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-24 18:02 . 04-04-27 04:40 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2008-02-24 18:02 . 08-03-12 21:38 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-02-24 18:00 . 08-03-12 21:34 <DIR> d-------- C:\WINNT\system32\ZoneLabs
2008-02-24 17:58 . 08-03-13 07:18 <DIR> d-a------ C:\WINNT\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 01:36 --------- d-----w C:\Documents and Settings\nharrigan\Application Data\AVG7
2008-02-24 22:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 21:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-17 02:08 --------- d---a-w C:\Program Files\microsoft frontpage
2008-01-17 02:06 --------- d---a-w C:\Program Files\ACT
2008-01-17 02:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-17 01:19 499,712 ----a-w C:\WINNT\system32\msvcp71.dll
2008-01-17 01:19 26,944 ----a-w C:\WINNT\system32\drivers\avg7rsnt.sys
2008-01-17 01:19 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2008-01-17 00:43 348,160 ----a-w C:\WINNT\system32\msvcr71.dll
2008-01-17 00:43 246,545 ----a-w C:\WINNT\system32\libssl32.dll
2008-01-17 00:43 1,188,375 ----a-w C:\WINNT\system32\libeay32.dll
2006-12-05 00:36 64,992 -c--a-w C:\Documents and Settings\nharrigan\Application Data\GDIPFONTCACHEV1.DAT
2003-08-28 17:52 271 ---h--w C:\Program Files\desktop.ini
2003-08-28 17:52 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
08-02-24 18:06 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSI Configuration"="msiconf.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [99-11-30 18:40 86288 C:\WINNT\system32\tp4mon.exe]
"Synchronization Manager"="mobsync.exe" [99-12-07 07:00 111376 C:\WINNT\system32\mobsync.exe]
"SoundFusion"="cwcprops.cpl" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-01-16 20:19 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [99-12-07 07:00 186640]

C:\Documents and Settings\nharrigan\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2001-05-31 09:06:20 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-09-11 23:00:00 111376]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-01-16 20:19 ]
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [00-04-26 16:59 ]
R3 cwcspud3;Crystal SoundFusion™ SPuD3 Driver;C:\WINNT\system32\drivers\cwcspud3.sys [99-11-11 14:13 ]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;C:\WINNT\system32\DRIVERS\EL556ND5.sys [00-02-24 19:48 ]
S1 LSMBATT;LSMBATT;C:\WINNT\system32\drivers\LSMBATT.SYS []
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 07:00 ]
S2 BulkUsb;Bantam Bulk USB Driver;C:\WINNT\system32\Drivers\bantam.sys [01-11-30 07:32 ]
S2 Generic Host Process for Win32 Service;Generic Host Process for Win32 Service;"C:\WINNT\svchost.exe" []
S3 apusbsnt;AirPrime USB Modem Device Driver;C:\WINNT\system32\DRIVERS\apusbsnt.sys []
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-01 22:10 ]
S3 FW1;SecuRemote Miniport;C:\WINNT\system32\DRIVERS\fw.sys []
S3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [02-07-22 14:05 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 07:21:35
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-13 7:23:48
ComboFix-quarantined-files.txt 2008-03-13 12:23:31
ComboFix2.txt 2008-03-13 01:35:02
ComboFix3.txt 2008-03-12 01:23:24
.
2008-02-24 23:26:19 --- E O F ---


Let me know if you need anything else or if there is anything else I can do. Thanks again for your time!!!!!

Neil

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:07 AM

Posted 14 March 2008 - 01:02 PM

Hey Neil,

Step #1

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #2

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3

Please post back with the Kaspersky log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 Squid4hire

Squid4hire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 16 March 2008 - 03:48 PM

Johannes,

Sorry for the delay in getting back. I can no longer get an internet connection on my laptop tp continue the fix. I am working on it but so far no luck. I get a strong wireless signal but cannot connect for some reason. I'll let you know if I get it figured out. Thanks for your patience.

Neil

#12 Squid4hire

Squid4hire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 16 March 2008 - 06:36 PM

Johannes,

Back online! Heres the results of the Kaspersky scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-03-16 07:31
Operating System: Microsoft Windows 2000 Professional, Service Pack 3 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/03/2008
Kaspersky Anti-Virus database records: 634270
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 24746
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:17:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nharrigan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\nharrigan\Desktop\[42]-Submit_Wed 2008-03-12@20.27.zip/lkzmiov0.exe.vir Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\nharrigan\Desktop\[42]-Submit_Wed 2008-03-12@20.27.zip ZIP: infected - 1 skipped
C:\Documents and Settings\nharrigan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\nharrigan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\nharrigan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nharrigan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nharrigan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\nharrigan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Grisoft\AVG7\avgcc.exe Object is locked skipped
C:\Program Files\ThinkPad\Utilities\tphkmgr.exe Object is locked skipped
C:\QooBox\Quarantine\C\WINNT\system32\lkzmiov0.exe.vir Infected: Trojan.Win32.KillAV.oe skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\NHARRIGAN.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\bak\lkzmiov0.exe Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\ias\dnary.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.mdb Object is locked skipped
C:\WINNT\Temp\JET62C1.tmp Object is locked skipped
C:\WINNT\Temp\JETC8BC.tmp Object is locked skipped
C:\WINNT\Temp\ZLT01980.TMP Object is locked skipped
C:\WINNT\Temp\ZLT0198a.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Let me know what I need to do next. Thanks!

Neil

#13 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:07 AM

Posted 17 March 2008 - 02:01 PM

Hey Neil,

Step #1

Please navigate to and delete the following file:

C:\Documents and Settings\nharrigan\Desktop\[42]-Submit_Wed 2008-03-12@20.27.zip

Step #2

Please post back with a fresh HijackThis log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#14 Squid4hire

Squid4hire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 17 March 2008 - 06:23 PM

Johannes,

Deletion done. Here's the fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:19, on 2008-03-17
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3662BD4D-ECEF-4050-BACB-3EF6788554B3}: NameServer = 66.92.64.2,216.231.41.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4752 bytes

Let me know if there are other issues to deal with. Thanks!!!

Neil

#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:07 AM

Posted 18 March 2008 - 01:44 PM

Hey Neil,

Your HijackThis log shows traces of this, which was not detected by the Onlinescan and we will therefore run some more things to be on the safe side.

Step #1

Before we start fixing anything you should print out these instructions or copy them to a Notepad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix and save it to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart the computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the Option to Start Windows in Safemode
  • Press the Enter key. A dialog box confirms that Windows is in Safe Mode
  • Click OK. Note: This may take longer than a normal boot.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Step #2

Please post a The SDFix log along with a fresh HijackThis log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users