Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ok, second try.....


  • Please log in to reply
23 replies to this topic

#1 Sabre3of4

Sabre3of4

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 18 March 2005 - 02:37 PM

Alrighty here.....
I am still getting the ZipZapPromos.com pop-ups and I can't figure out where they are coming from.

Here is a HJT scan I just did.Hope itr can tell you something:)

Sabrina

Logfile of HijackThis v1.99.0
Scan saved at 1:32:58 PM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\12Ghosts\12wash.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\WMCONN~1\wwm.exe
C:\WINNT\system32\spider.exe
C:\Documents and Settings\Owner\My Documents\Recent Computer Downloads\HijackThis1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.217 - http://63.102.226.240:8000/Java/cfs31217.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098418353683
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orb.../winorbiter.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF2B075A-FCA0-4CFF-9D2D-E4BE3BDA50EF}: NameServer = 205.188.146.145
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINNT\System32\PackethSvc.exe
O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:29 PM

Posted 18 March 2005 - 02:43 PM

Hello Sabrina,

I do not see anything obvious in the log. :thumbsup: It must be hiding somewhere.

I think that maybe some of the malware files did not get deleted, and are still lurking about causing you problems.

Go to your Add/Remove programs and uninstall (if it is listed)
Instant Access

We're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

See if you find these files (if found, delete them) :
EGDACCESS_1057.dll may be in C:\WINDOWS\system32
EGDACCESS_1057.inf



Let empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.


You are using an old version of HijackThis
Please download the latest version of Hijackthis
and submit a new log.

The new version will show more information than the oder version.

Please post a Startup list
To get the StartupList log in HJT use Config > Misc. Tools > place a check beside "List also minor sections (full)"> press Generate StartupList log.

Post the list here.

Edited by SifuMike, 18 March 2005 - 05:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 19 March 2005 - 12:30 AM

OK, here is the new HJT scan and the startup list and I didn't ind any of the things you asked me to look for. And I ran CCleaner also.

Logfile of HijackThis v1.99.1
Scan saved at 11:20:01 PM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\12Ghosts\12wash.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\explorer.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.217 - http://63.102.226.240:8000/Java/cfs31217.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098418353683
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orb.../winorbiter.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINNT\System32\PackethSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Startup List :
StartupList report, 3/18/2005, 11:19:05 PM
StartupList version: 1.52.2
Started from : C:\HJT\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\12Ghosts\12wash.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\explorer.exe
C:\HJT\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
PowerReg Scheduler.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
PowerReg Scheduler.exe
Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINNT\System32\igfxtray.exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
GWMDMMSG = GWMDMMSG.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
GWMDMpi = C:\WINNT\GWMDMpi.exe
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"
WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
CapFax = C:\Program Files\PhoneTools\CapFax.EXE
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Hot Key Kbd 9910 Daemon = SK9910DM.EXE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
spc_w = "C:\Program Files\NZSearch\hcm.exe" -w

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\System32\Rundll32.exe C:\WINNT\System32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Download Program Files:

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/8/B...42/wmsp9dmo.cab

[{02BCC737-B171-4746-94C9-0D8A0B2C0089}]
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{0E5F0222-96B9-11D3-8997-00104BD12D94}]
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINNT\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5co...b?1098418353683

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

[Communities.com Passport]
InProcServer32 = c:\Program Files\Communities.com\CartoonOrbit\QU2LMT59HBCAYVJABNCYUN6DT7XKQLE3.dll
CODEBASE = http://cartoonorbit.cartoonnetwork.com/orb.../winorbiter.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

[{DF6A0F17-0B1E-11D4-829D-00C04F6843FE}]
CODEBASE = http://officeupdate.microsoft.com/Template...nloads/outc.cab

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
CODEBASE = http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINNT\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Virtual NIC Service: C:\WINNT\System32\PackethSvc.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sygate Personal Firewall: C:\Program Files\Sygate\SPF\smc.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)
SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)
SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\Owner\Cookies\index.dat||C:\DOCUME~1\Owner\LOCALS~1\History\History.IE5\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
End of report, 13,440 bytes
Report generated in 0.922 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Edited by Sabre3of4, 19 March 2005 - 12:31 AM.


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:29 PM

Posted 19 March 2005 - 01:52 AM

Hello Sabrina,

Are you still getting the pops? This one is a tough one. I am looking for a rogue .dll in your files but so far have not found it.

Would you please run Adaware SE with a Full Scan in the Safe Mode, and post the log.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.



Also run Symantec Online Virus Scan
let it remove what ever it finds.
If it finds anything, please post the virus scan log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 23 March 2005 - 03:08 PM

hello, SifuMike:)
I ran Trend Micro's Housecall and it found these things:

BAT.SMTEXEC.A in C:\WINNT\System32\O
BAT.SMTEXEC.A in C:\WINNT\System32\O.BAT

Says they are uncleanable and should be deleted....
I am getting ready to run the AdAwae in Safe Mode and the Symantec online Virus andwill let you know what they find:)

Sabrina

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:29 PM

Posted 23 March 2005 - 04:18 PM

Hello Sabrina,

Are you still getting ZipZapPromos.com pop-ups?

Please download the List Installed Programs script , run it and post it's log.

Edited by SifuMike, 23 March 2005 - 10:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 25 March 2005 - 06:44 PM

Sigh, I was coming here to post that I thought that they were gone. I had gone the last two days without having them and they showed up again just now. I hae made an improvment in that the porn ones no longer show the pictures.

I am going to run the online virus checkers again and try to get the program you listed to download.
Sabina

#8 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 27 March 2005 - 06:05 PM

Ok, here is what the Symantec virus checker found:

C:\WINNT\system32\newdevin.exe is infected with Adware.Bookedspace
C:\WINNT\system32\O is infected with Download.Adware
C:\WINNT\system32\O.BAT is infected with Download.Adware
C:\Documents and Settings\Owner\My Documents\Recent Computer Downloads\backups\backup-20050219-205737-178.dll is infected with Dialer.InstantAccess


I am in the process of trying to remove them. Could not find anything on Symantec on the Dowload. Adware so I an going to run the Trend micro again and remove it that way.

this is what the start-up list script thing found:

Startup Items for Computer: S0026089351, User: Owner, 3/27/2005 4:49:45 PM

Name: 12Ghosts Wash
Command: 12Ghosts Wash.lnk
User: S0026089351\Owner
Startup Location: Startup

Name: Event Reminder
Command: Event Reminder.lnk
User: S0026089351\Owner
Startup Location: Startup

Name: PowerReg Scheduler
Command: PowerReg Scheduler.exe
User: S0026089351\Owner
Startup Location: Startup

Name: Microsoft Works Update Detection
Command: C:\Program Files\Microsoft Works\WkDetect.exe
User: S0026089351\Owner
Startup Location: HKU\S-1-5-21-1482789601-2801439982-1300003180-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: MoneyAgent
Command: "C:\Program Files\Microsoft Money\System\Money Express.exe"
User: S0026089351\Owner
Startup Location: HKU\S-1-5-21-1482789601-2801439982-1300003180-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: PopUpStopperFreeEdition
Command: "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
User: S0026089351\Owner
Startup Location: HKU\S-1-5-21-1482789601-2801439982-1300003180-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: spc_w
Command: "C:\Program Files\NZSearch\hcm.exe" -w
User: S0026089351\Owner
Startup Location: HKU\S-1-5-21-1482789601-2801439982-1300003180-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: MiniMavis
Command: C:\PROGRA~1\BRODER~1\MAVISB~1\MINIMA~1.EXE Main
User: All Users
Startup Location: Common Startup

Name: PowerReg Scheduler
Command: PowerReg Scheduler.exe
User: All Users
Startup Location: Common Startup

Name: Wal-Mart Connect Tray Icon
Command: C:\PROGRA~1\WMCONN~1\wmtray.exe -check
User: All Users
Startup Location: Common Startup

Name: IgfxTray
Command: C:\WINNT\System32\igfxtray.exe
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: HotKeysCmds
Command: C:\WINNT\System32\hkcmd.exe
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: GWMDMMSG
Command: GWMDMMSG.exe
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: Keyboard Preload Check
Command: C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: GWMDMpi
Command: C:\WINNT\GWMDMpi.exe
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: AdaptecDirectCD
Command: "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: Microsoft Works Portfolio
Command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: MoneyStartUp10.0
Command: "C:\Program Files\Microsoft Money\System\Activation.exe"
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: WorksFUD
Command: C:\Program Files\Microsoft Works\wkfud.exe
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: CapFax
Command: C:\Program Files\PhoneTools\CapFax.EXE
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: TkBellExe
Command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: avast!
Command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: Hot Key Kbd 9910 Daemon
Command: SK9910DM.EXE
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: QuickTime Task
Command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: SmcService
Command: C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: zndeaf
Command: c:\winnt\system32\zndeaf.exe -start
User: All Users
Startup Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

*************************
Additional non-relevant item(s) in the Startup configuration:

Name: desktop
Command: desktop.ini
User: NT AUTHORITY\SYSTEM
Startup Location: Startup

Name: desktop
Command: desktop.ini
User: S0026089351\Owner
Startup Location: Startup

Name: desktop
Command: desktop.ini
User: .DEFAULT
Startup Location: Startup

Name: desktop
Command: desktop.ini
User: All Users
Startup Location: Common Startup


NOTE: This file will be deleted when you close it. If you wish to retain this information, Print it or use File, Save As...

(Startup list generated using StartupList.vbs - © Bill James)

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:29 PM

Posted 27 March 2005 - 06:50 PM

Hello Sabrina,

You sent me the wrong listing by accident. It is easy to mix them up, as there are many programs listed at that site. :thumbsup:

You sent me the Startup list program script listing;however, I asked for the List Installed Programs script listing.


Please download the List Installed Programs script , run it and post it's log.

Edited by SifuMike, 27 March 2005 - 08:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 28 March 2005 - 03:35 PM

Whoops, sorry about that.....
here is the right one:
INSTALLED SOFTWARE (98) - S0026089351 - 3/28/2005 1:20:47 PM

12Ghosts Wash
a-squared free 1.5.1 Ver: 1.5.1
Ad-Aware SE Personal
Adobe Acrobat 4.0 Ver: 4.0
Adobe Acrobat 5.0 Ver: 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0.1 Ver: 006.000.001 Installed: 4/26/2004
Adobe Type Manager 4.0
AnalogX POW!
ArcSoft PhotoImpression
avast! Antivirus Ver: 4.6
Belarc Advisor 5.1
Broderbund Media Manager
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
Click'N Design 3D Ver: 4.x
Deer Hunter
Diablo II
Easy CD Creator 5 Basic Ver: 5.1.0.1800 Installed: 10/11/2001
Fallout
Fallout2
Find Junk Files Ver: 2.00 Installed: 1/29/2004
GTW V.92 Voice Modem
HelpSpot Ver: 6.1 Installed: 10/22/2001
HexDump plug-in for Ad-Aware SE
HijackThis 1.99.1 Ver: 1.99.1
InCD EasyWrite Reader (Ahead Software)
Internet Explorer Exception pack
Internet Explorer ReadMe
IrfanView (remove only)
Jumpstart First Grade v1.4
JumpStart PreSchool v1.4
Lexmark Supplies Monitor
Lexmark Z25-Z35
LSP Explorer plug-in for Ad-Aware SE
Master of Orion II
Mavis Beacon Teaches Typing 12 Standard
MechWarrior 3
Messenger-Control plug-in for Ad-Aware SE
MGI PhotoSuite® Mobile Edition (Remove only)
Mickey Mouse Kindergarten Ver: 1.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 3/18/2005
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Encarta Encyclopedia Standard 2002 Ver: 2002 Installed: 10/17/2001
Microsoft Money 2002 Ver: 10.0.50 Installed: 10/17/2001
Microsoft Money 2002 System Pack Ver: 10.0.80 Installed: 10/17/2001
Microsoft Streets and Trips 2002 Ver: 9.00.17.0200 Installed: 10/17/2001
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2002 Ver: 10.0.2627.01 Installed: 10/17/2001
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0 Ver: 06.00.0000 Installed: 10/17/2001
Microsoft Works Suite Add-in for Microsoft Word Ver: 2.0.0.0000 Installed: 10/17/2001
Mobile Link
MUSICMATCH Jukebox
OE/W Messengerctrl plug-in for Ad-Aware SE
OLYMPUS CAMEDIA Master 4.1
PC-Doctor for Windows
PhoneTools Ver: 3.05
Phonics 2-3
Pop-Up Stopper Free Edition Ver: 3.1
PS/2 Millennium Keyboard
QuickTime
RealPlayer
Rolie Polie Olie Ver: 1.0
Serif DrawPlus 3.0
Shockwave
Shockwave Flash
Sierra Home Architect
Spybot - Search & Destroy 1.3 Ver: 1.3
Sygate Personal Firewall Ver: 5.6.2808 Installed: 3/7/2005
The Print Shop
Viewpoint Media Player (Remove Only)
Wal-Mart Connect
WebFldrs XP Ver: 9.50.5318 Installed: 10/9/2001
Westwood Shared Internet Components
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB885884 Ver: 20040924.025457
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Service Pack 2 Ver: 20040803.231319
Winnie the Pooh Preschool Ver: 1.0
Works Suite OS Pack Ver: 1.0.0.0000 Installed: 10/17/2001
Works Synchronization Ver: 1.0.0.0000 Installed: 10/17/2001
zndeaf

I went and checked all the stuff that Symantec wanted check for the stuff it found and could not find anything. :thumbsup: :flowers: and I need that emoticon who's slamming it's head against a brick wall,lol, because that's what I feel like.

Sabrina

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:29 PM

Posted 28 March 2005 - 04:31 PM

Hello Sabrina,

I think I found something :thumbsup:

You have a suspicious file we need to check. Go to
Jotti's malware scan press the Browse button, and find c:\winnt\system32\zndeaf.exe then upload and scan it.
Let me know the results.

Copy and paste the output to this thread

The output should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken


************************************

Let delete the malware files Symantec Virus scan found.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:

C:\WINNT\system32\newdevin.exe <==file
C:\WINNT\system32\O <== not sure if this is a file or a folder
C:\WINNT\system32\O.BAT <==file
C:\Documents and Settings\Owner\My Documents\Recent Computer Downloads\backups\backup-20050219-205737-178.dll <==file

Let me know if you could not find them, or the delete did not work

Then run Symantec Virus Scan again and see if they are gone.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 30 March 2005 - 09:10 PM

Hello, Mike

I can't find the zndeaf.exe file at all. I know I just saw it before I read your post then it disappeared.
I did delete all the other stuff you listed and and will run the online virus checker later tonite.

Sabrina

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:29 PM

Posted 30 March 2005 - 09:26 PM

can't find the zndeaf.exe file at all. I know I just saw it before I read your post then it disappeared.


It will be a protected and hidden file,
so go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

then run Jotti Scan http://virusscan.jotti.org/
and see if you find it.

If not, then boot into safe mode before using Jotti Virus Scan.

Please download the List Installed Programs script , run it and post it's log and we will see if the file is still there. It could have mutated.

Edited by SifuMike, 30 March 2005 - 11:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 April 2005 - 06:51 PM

Ok, I tried to find it with the Jotti scanner and could not.
Here is the list of instaleed programs. the zndeaf thing is still there:
INSTALLED SOFTWARE (98) - S0026089351 - 4/3/2005 6:48:17 PM

12Ghosts Wash
a-squared free 1.5.1 Ver: 1.5.1
Ad-Aware SE Personal
Adobe Acrobat 4.0 Ver: 4.0
Adobe Acrobat 5.0 Ver: 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 7.0 Ver: 7.0.0 Installed: 4/2/2005
Adobe Type Manager 4.0
AnalogX POW!
ArcSoft PhotoImpression
avast! Antivirus Ver: 4.6
Belarc Advisor 5.1
Broderbund Media Manager
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
Click'N Design 3D Ver: 4.x
Deer Hunter
Diablo II
Easy CD Creator 5 Basic Ver: 5.1.0.1800 Installed: 10/11/2001
Fallout
Fallout2
Find Junk Files Ver: 2.00 Installed: 1/29/2004
GTW V.92 Voice Modem
HelpSpot Ver: 6.1 Installed: 10/22/2001
HexDump plug-in for Ad-Aware SE
HijackThis 1.99.1 Ver: 1.99.1
InCD EasyWrite Reader (Ahead Software)
Internet Explorer Exception pack
Internet Explorer ReadMe
IrfanView (remove only)
Jumpstart First Grade v1.4
JumpStart PreSchool v1.4
Lexmark Supplies Monitor
Lexmark Z25-Z35
LSP Explorer plug-in for Ad-Aware SE
Master of Orion II
Mavis Beacon Teaches Typing 12 Standard
MechWarrior 3
Messenger-Control plug-in for Ad-Aware SE
MGI PhotoSuite® Mobile Edition (Remove only)
Mickey Mouse Kindergarten Ver: 1.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 3/18/2005
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Encarta Encyclopedia Standard 2002 Ver: 2002 Installed: 10/17/2001
Microsoft Money 2002 Ver: 10.0.50 Installed: 10/17/2001
Microsoft Money 2002 System Pack Ver: 10.0.80 Installed: 10/17/2001
Microsoft Streets and Trips 2002 Ver: 9.00.17.0200 Installed: 10/17/2001
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2002 Ver: 10.0.2627.01 Installed: 10/17/2001
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0 Ver: 06.00.0000 Installed: 10/17/2001
Microsoft Works Suite Add-in for Microsoft Word Ver: 2.0.0.0000 Installed: 10/17/2001
Mobile Link
MUSICMATCH Jukebox
OE/W Messengerctrl plug-in for Ad-Aware SE
OLYMPUS CAMEDIA Master 4.1
PC-Doctor for Windows
PhoneTools Ver: 3.05
Phonics 2-3
Pop-Up Stopper Free Edition Ver: 3.1
PS/2 Millennium Keyboard
QuickTime
RealPlayer
Rolie Polie Olie Ver: 1.0
Serif DrawPlus 3.0
Shockwave
Shockwave Flash
Sierra Home Architect
Spybot - Search & Destroy 1.3 Ver: 1.3
Sygate Personal Firewall Ver: 5.6.2808 Installed: 3/7/2005
The Print Shop
Viewpoint Media Player (Remove Only)
Wal-Mart Connect
WebFldrs XP Ver: 9.50.5318 Installed: 10/9/2001
Westwood Shared Internet Components
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB885884 Ver: 20040924.025457
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Service Pack 2 Ver: 20040803.231319
Winnie the Pooh Preschool Ver: 1.0
Works Suite OS Pack Ver: 1.0.0.0000 Installed: 10/17/2001
Works Synchronization Ver: 1.0.0.0000 Installed: 10/17/2001
zndeaf

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:29 PM

Posted 03 April 2005 - 08:58 PM

Hello Sabrina,

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in zndeaf , wait, hit ok.
Then when Wordpad opens, copy that back here please.


Also, go into your Add/Remove programs and see if you can find zndeaf listed.
If it is, uninstall it. Let me know what you find.

Lets see if zndeaf is a running process, and if it is, we will end the process.
Press CTRL+SHIFT+ESC , click on the Processes tab, right click the process to be killed and select End Task or End Process. Search for zndeaf and End it.

Let me know if was a running process.

Edited by SifuMike, 03 April 2005 - 09:06 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users