Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi, I Can't Remove System32\igiaigi.dll Bho (no Name)


  • This topic is locked This topic is locked
8 replies to this topic

#1 wesrokin

wesrokin

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 04 April 2008 - 04:43 PM

Included are as follows, in the order they were executed:

1. Kapersky
2. DSS, main log only
3. HiJack This 2.0.2


I carefully performed the recommmended procedure. I also needed to use Combofix to remove a persistant wmspoem and netbos.exe after multiple failures using Adaware/Spybot/Hijack/Avira/CWshredder in various combinations in safe mode and after full boot.


Thank you in advance!!


Kapersky LOG:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-04-04 12:32
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/04/2008
Kaspersky Anti-Virus database records: 682049
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Owner\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 35858
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:19:45

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\$NtUninstallKB914388_0$\ws2_32.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\lzhjo.bak Infected: Trojan-Clicker.Win32.Delf.jv skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\zokvhoex.dll.bak Infected: Trojan-Dropper.Win32.Agent.cia skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




DSS log:

Only Main log Included


Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-04 12:35:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 248 MiB (512 MiB recommended).
System Drive C: has 1.78 GiB (less than 15%) free.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47, on 2008-04-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O20 - Winlogon Notify: htpkqkxo - C:\WINDOWS\SYSTEM32\igiaigi.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2772 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080205-105445-106 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080205-105445-135 O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
backup-20080205-105445-185 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20080205-105445-199 O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
backup-20080205-105445-205 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20080205-105445-206 O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe
backup-20080205-105445-226 O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AntiSpywareSuite\bm.exe" dm=http://antispywaresuite.com; ad=http://antispywaresuite.com
backup-20080205-105445-243 O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
backup-20080205-105445-244 O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
backup-20080205-105445-254 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080205-105445-271 O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
backup-20080205-105445-281 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20080205-105445-303 O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
backup-20080205-105445-318 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
backup-20080205-105445-338 O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
backup-20080205-105445-367 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk570KXUS
backup-20080205-105445-375 O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
backup-20080205-105445-384 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
backup-20080205-105445-436 O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
backup-20080205-105445-439 O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
backup-20080205-105445-442 O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
backup-20080205-105445-468 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20080205-105445-479 O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
backup-20080205-105445-490 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20080205-105445-529 O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
backup-20080205-105445-537 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080205-105445-565 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080205-105445-651 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
backup-20080205-105445-665 O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
backup-20080205-105445-666 O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
backup-20080205-105445-706 O2 - BHO: Microsoft Explorer - {E3D12CDB-16F2-7A25-4EB1-9F3B9B44AC84} - C:\WINDOWS\system32\mmsctl32.dll (file missing)
backup-20080205-105445-732 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080205-105445-777 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
backup-20080205-105445-800 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20080205-105445-814 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080205-105445-824 O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
backup-20080205-105445-829 O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
backup-20080205-105445-856 O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
backup-20080205-105445-886 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
backup-20080205-105445-905 O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas20.exe" /minimize
backup-20080205-105445-918 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080205-105445-944 O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
backup-20080205-105445-963 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
backup-20080205-105445-965 O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
backup-20080205-105445-978 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
backup-20080205-105446-109 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
backup-20080205-105446-311 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
backup-20080205-105446-605 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20080205-105446-910 O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
backup-20080205-105447-152 O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
backup-20080205-105447-668 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20080205-105447-778 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
backup-20080205-105448-249 O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
backup-20080205-105448-337 O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
backup-20080205-105448-429 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20080205-105448-633 O20 - Winlogon Notify: htpkqkxo - C:\WINDOWS\SYSTEM32\igiaigi.dll
backup-20080205-105448-700 O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080205-125936-619 O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
backup-20080331-165803-824 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080331-165804-259 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080331-165804-348 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080331-165804-444 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080331-165804-547 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
backup-20080331-165804-578 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080331-165805-788 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
backup-20080331-165807-559 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
backup-20080331-165807-805 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
backup-20080331-165812-168 O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
backup-20080331-165812-311 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080331-165813-943 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080331-165814-327 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080331-165814-717 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080331-165815-628 O23 - Service: aawservice - Unknown owner - C:\WINDOWS\TEMP\207593.exe (file missing)
backup-20080331-172913-780 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
backup-20080331-172913-988 O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
backup-20080331-172915-474 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.94 85.255.112.88
backup-20080331-172915-915 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
backup-20080331-172916-503 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
backup-20080331-172916-770 O23 - Service: FastUserSwitchingCompatibility - Unknown owner - C:\WINDOWS\TEMP\553453.exe
backup-20080331-172916-824 O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\189796.exe (file missing)
backup-20080331-172916-968 O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe
backup-20080403-122023-126 O23 - Service: IDriverT - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
backup-20080403-122023-221 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
backup-20080403-122023-331 O23 - Service: ose - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
backup-20080403-122023-467 O23 - Service: ProtectedStorage - Unknown owner - C:\WINDOWS\TEMP\553453.exe (file missing)
backup-20080403-122023-870 O23 - Service: helpsvc - Unknown owner - C:\WINDOWS\TEMP\201796.exe (file missing)
backup-20080403-122023-884 O23 - Service: aawservice - Unknown owner - C:\WINDOWS\TEMP\132828.exe (file missing)
backup-20080403-122058-359 O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
backup-20080403-122058-365 O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
backup-20080403-122122-309 O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
backup-20080403-122122-635 O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
backup-20080403-122136-687 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080403-122143-638 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080403-122438-316 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080403-123809-402 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080403-132616-959 F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080403-135521-514 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
backup-20080403-135749-620 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080403-135750-414 O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
backup-20080403-135929-784 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
backup-20080403-140317-341 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080403-140317-416 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
backup-20080403-140318-638 O20 - Winlogon Notify: htpkqkxo - C:\WINDOWS\SYSTEM32\igiaigi.dll
backup-20080403-140455-547 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080403-140455-899 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
backup-20080403-140456-411 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
backup-20080403-140456-539 O20 - Winlogon Notify: htpkqkxo - C:\WINDOWS\SYSTEM32\igiaigi.dll
backup-20080403-140458-194 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
backup-20080403-140458-359 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080403-140459-257 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
backup-20080403-140459-359 O20 - Winlogon Notify: LogCrypt - C:\WINDOWS\
backup-20080403-140459-469 O20 - Winlogon Notify: htpkqkxo - C:\WINDOWS\SYSTEM32\igiaigi.dll
backup-20080403-140500-332 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
backup-20080404-100036-226 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080404-100036-265 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080404-100036-751 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
backup-20080404-100036-920 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080404-100046-127 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
backup-20080404-100057-766 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
backup-20080404-100106-209 O20 - Winlogon Notify: htpkqkxo - C:\WINDOWS\SYSTEM32\igiaigi.dll
backup-20080404-100106-637 O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 wwkxxtod (Microsoft RPC API Helper) - c:\windows\system32\drivers\obvikruv.dat
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys

S0 Kpt61 - c:\windows\system32\drivers\kpt61.sys (file missing)
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 UWProSys (Process monitor.) - c:\program files\cyberdefender\antispyware\uwprosys.sys (file missing)
S4 SYMTDI - - (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v1.1.4322\aspnet_state.exe (file missing)
S4 helpsvc - c:\windows\temp\201796.exe (file missing)
S4 IDriverT - c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe (file missing)
S4 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)
S4 ose - c:\program files\common files\microsoft shared\source engine\ose.exe (file missing)
S4 RasMan - c:\windows\temp\189796.exe (file missing)
S4 Service - c:\windows\system32\service.exe (file missing)
S4 SNDSrvc (Symantec Network Drivers Service) - - (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-27 03:00:00 372 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-03-26 20:30:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2006-08-17 10:03:41 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-03-04 and 2008-04-04 -----------------------------

2008-04-04 10:27:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 10:27:11 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 10:26:31 0 d-------- C:\WINDOWS\LastGood
2008-04-04 09:06:39 68096 --a------ C:\WINDOWS\zip.exe
2008-04-04 09:06:39 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-04 09:06:39 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-04 09:06:39 98816 --a------ C:\WINDOWS\sed.exe
2008-04-04 09:06:39 80412 --a------ C:\WINDOWS\grep.exe
2008-04-04 09:06:39 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 09:06:38 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-04 09:06:38 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-03 17:43:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-03 12:31:00 0 d-------- C:\Program Files\Lavasoft
2008-04-01 22:24:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-01 22:24:30 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-01 22:24:30 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-01 22:24:30 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-01 22:24:30 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-01 22:24:30 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-01 22:24:30 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-01 22:24:30 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-01 22:24:30 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-01 22:24:30 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-01 22:24:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-01 22:24:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-01 22:24:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-01 22:24:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-04-01 22:24:30 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-01 22:24:29 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-01 22:24:29 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-01 22:24:29 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-01 22:24:29 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-01 22:24:28 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-01 14:41:59 1189920 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-01 14:39:28 0 d-------- C:\Program Files\ZoneAlarmSB
2008-04-01 14:37:31 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-01 14:37:12 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-01 14:36:52 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-04-01 14:35:39 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-01 14:33:51 0 d-------- C:\WINDOWS\Internet Logs
2008-04-01 14:18:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-01 12:04:29 0 d-------- C:\Program Files\Avira
2008-04-01 12:04:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-31 17:52:38 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-31 17:52:27 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6


-- Find3M Report ---------------------------------------------------------------

2008-04-04 09:27:36 81920 --a------ C:\WINDOWS\system32\igiaigi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-03 17:44:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-03 13:54:24 42752 --a------ C:\WINDOWS\system32\lscnegzf.dat
2008-04-03 13:54:20 109824 --a------ C:\WINDOWS\system32\viifxfzf.dat
2008-04-03 13:17:15 0 d-------- C:\Program Files\SymNetDrv
2008-04-03 12:29:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 13:42:06 638208 --a------ C:\WINDOWS\system32\zokvhoex.dat
2008-04-01 13:13:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-20 10:28:38 36608 --a------ C:\WINDOWS\system32\uaahupqg.dat
2008-02-09 03:26:14 0 d-------- C:\Program Files\Messenger
2008-02-09 03:03:00 0 d-------- C:\Program Files\MSXML 4.0
2008-02-08 16:30:44 0 d-------- C:\Program Files\PC-Doctor for Windows
2008-02-08 16:30:33 0 d-------- C:\Program Files\IntelliMover Data Transfer Demo
2008-02-08 14:24:11 0 d-------- C:\Program Files\Movie Maker
2008-02-08 14:20:51 0 d-------- C:\Program Files\Windows NT
2008-02-08 11:09:34 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-06 18:25:53 0 d-------- C:\Program Files\STOPzilla!
2008-02-05 11:54:47 0 d--h----- C:\Program Files\WindowsUpdate
2008-02-05 11:04:56 0 d-------- C:\Program Files\Common Files
2008-02-05 10:48:48 0 d-------- C:\Program Files\Trend Micro
2008-02-05 10:43:49 4121 --a------ C:\WINDOWS\viassary-hp.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DEAE661-D1F7-47AD-AB13-8900CF31928F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-04-01 14:39 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-01 14:39 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-01 14:26]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\htpkqkxo]
igiaigi.dll 2008-04-04 09:27 81920 C:\WINDOWS\system32\igiaigi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kpt61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mrw50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxc72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
rbedeelk




-- End of Deckard's System Scanner: finished at 2008-04-04 12:48:57 ------------



HIJACK THIS 2.0.2 LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30, on 2008-04-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O20 - Winlogon Notify: htpkqkxo - C:\WINDOWS\SYSTEM32\igiaigi.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2918 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:37 PM

Posted 05 April 2008 - 07:45 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 wesrokin

wesrokin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 05 April 2008 - 02:27 PM

Thanks for your reply. I already ran Combofix once, but didn't save the log.

I performed the steps you recommended.

Included are the updated Combofix and HijackThis Logs.

Thanks so much for your help,

Travis

ComboFix 08-04-03.5 - Owner 2008-04-05 10:29:01.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\system32\igiaigi.dll . . . . failed to delete
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\Owner\Application Data\install.dat
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\5Q2BZZ76\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\ResErrors.log
C:\Program Files\WinBudget
C:\WINDOWS\ORUN32.EXE
C:\WINDOWS\system32\4_exception.nls
C:\WINDOWS\system32\CMMGR32.EXE
c:\windows\system32\drivers\Hmq15.sys
C:\WINDOWS\System32\drivers\Mrw50.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\kernel32.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\Temp\278343.exe
C:\WINDOWS\Temp\3706828.exe
C:\WINDOWS\Temp\873765.exe
C:\WINDOWS\system32\igiaigi.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FMTR
-------\Legacy_HMQ15
-------\Legacy_MRW50
-------\Legacy_RBEDEELK
-------\Legacy_RUNTIME
-------\Legacy_RUNTIME2
-------\Service_Hmq15
-------\Service_Mrw50
-------\Service_rbedeelk
-------\Legacy_RBEDEELK
-------\Service_rbedeelk


((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-05 09:25 . 2008-04-05 09:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-05 08:24 . 2008-04-05 10:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-05 08:24 . 2008-04-05 08:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-05 08:18 . 2008-04-05 08:18 <DIR> d-------- C:\Program Files\Bonjour
2008-04-05 08:12 . 2008-04-05 08:12 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-05 08:12 . 2008-04-05 08:12 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-05 08:10 . 2008-04-05 08:10 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-05 08:10 . 2008-04-05 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-04 14:00 . 2008-04-04 14:00 6,491,392 --a------ C:\WINDOWS\system32\jgjwpqcg.dat
2008-04-04 12:34 . 2008-04-04 12:34 <DIR> d-------- C:\Deckard
2008-04-04 10:27 . 2008-04-04 10:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 10:27 . 2008-04-04 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 09:08 . 2008-04-04 09:09 <DIR> d-------- C:\SDFix
2008-04-03 17:43 . 2008-04-03 17:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-03 12:31 . 2008-04-03 12:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 22:24 . 2004-05-12 03:29 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-01 22:24 . 2004-05-12 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-01 22:24 . 2004-05-12 04:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-01 14:41 . 2008-04-05 10:48 1,540,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-01 14:41 . 2008-04-05 10:45 19,076 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-01 14:39 . 2008-04-01 14:39 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-04-01 14:37 . 2008-04-01 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-01 14:37 . 2008-04-01 14:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-01 14:36 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-01 14:36 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-01 14:35 . 2008-04-01 14:35 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-01 14:33 . 2008-04-05 10:06 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-01 12:04 . 2008-04-01 12:04 <DIR> d-------- C:\Program Files\Avira
2008-04-01 12:04 . 2008-04-01 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-31 17:52 . 2008-03-31 17:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-31 17:52 . 2008-03-31 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 17:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-05 16:22 --------- d-----w C:\Program Files\iTunes
2008-04-05 16:21 --------- d-----w C:\Program Files\iPod
2008-04-05 16:17 --------- d-----w C:\Program Files\QuickTime
2008-04-05 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-04 01:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-03 21:57 20,224 ----a-w C:\WINDOWS\system32\drivers\obvikruv.dat
2008-04-03 21:17 --------- d-----w C:\Program Files\SymNetDrv
2008-04-03 20:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 23:28 1,067,520 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-01 21:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 11:03 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-09 00:30 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-02-09 00:30 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-02-08 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 19:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-07 02:25 --------- d-----w C:\Program Files\STOPzilla!
2008-02-07 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-05 20:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-05 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 18:48 --------- d-----w C:\Program Files\Trend Micro
2008-02-05 18:43 4,121 ----a-w C:\WINDOWS\viassary-hp.reg
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DEAE661-D1F7-47AD-AB13-8900CF31928F}]
2008-04-05 10:41 80896 --a------ c:\windows\system32\igiaigi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-04-01 14:39 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-01 14:39 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-01 14:39 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-01 14:26 249896]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AutoTBar"="AUTOTBAR.EXE" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\htpkqkxo]
igiaigi.dll 2008-04-05 10:41 80896 C:\WINDOWS\system32\igiaigi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kpt61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mrw50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxc72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 wwkxxtod;Microsoft RPC API Helper;C:\WINDOWS\system32\drivers\obvikruv.dat []
S0 Kpt61;Kpt61;C:\WINDOWS\system32\Drivers\Kpt61.sys []
S3 UWProSys;Process monitor.;C:\Program Files\CyberDefender\AntiSpyware\uwprosys.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
rbedeelk

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 04:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-27 11:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2006-08-17 18:03:41 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 10:50:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SYMTDI]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wwkxxtod]
"ImagePath"="system32\drivers\obvikruv.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-05 11:05:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-05 19:05:09
Pre-Run: 2,029,240,320 bytes free
Post-Run: 1,964,687,360 bytes free
.
2008-03-12 11:03:24 --- E O F ---


New Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:52 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0DEAE661-D1F7-47AD-AB13-8900CF31928F} - c:\windows\system32\igiaigi.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AutoTBar] AUTOTBAR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O20 - Winlogon Notify: htpkqkxo - C:\WINDOWS\SYSTEM32\igiaigi.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3923 bytes


Thanks again for your help!

Travis

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:37 PM

Posted 05 April 2008 - 02:41 PM

Hi,

Please uninstall the Spy Blocker toolbar, since this one is not recommended.

Then reboot.
After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\obvikruv.dat
C:\WINDOWS\system32\igiaigi.dll
C:\WINDOWS\system32\jgjwpqcg.dat
NetSvc::
rbedeelk
Driver::
wwkxxtod
UWProSys
Kpt61
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DEAE661-D1F7-47AD-AB13-8900CF31928F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoTBar"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\htpkqkxo]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kpt61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mrw50.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxc72.sys]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 wesrokin

wesrokin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 05 April 2008 - 05:00 PM

I I dropped the CFScript.txt into Combofix. Combofix log and new Hijack log are included.

Thanks.


ComboFix 08-04-03.5 - Owner 2008-04-05 13:18:42.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\obvikruv.dat
C:\WINDOWS\system32\igiaigi.dll
C:\WINDOWS\system32\jgjwpqcg.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\obvikruv.dat
C:\WINDOWS\system32\igiaigi.dll
C:\WINDOWS\system32\jgjwpqcg.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KPT61
-------\Legacy_RBEDEELK
-------\Legacy_UWPROSYS
-------\Legacy_WWKXXTOD
-------\Service_Kpt61
-------\Service_rbedeelk
-------\Service_UWProSys
-------\Service_wwkxxtod


((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-05 09:25 . 2008-04-05 09:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-05 08:18 . 2008-04-05 08:18 <DIR> d-------- C:\Program Files\Bonjour
2008-04-05 08:12 . 2008-04-05 08:12 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-05 08:12 . 2008-04-05 08:12 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-05 08:10 . 2008-04-05 08:10 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-05 08:10 . 2008-04-05 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-04 12:34 . 2008-04-04 12:34 <DIR> d-------- C:\Deckard
2008-04-04 10:27 . 2008-04-04 10:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 10:27 . 2008-04-04 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 09:08 . 2008-04-04 09:09 <DIR> d-------- C:\SDFix
2008-04-03 17:43 . 2008-04-03 17:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-03 12:31 . 2008-04-03 12:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 22:24 . 2004-05-12 03:29 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-01 22:24 . 2004-05-12 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-01 22:24 . 2004-05-12 04:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-01 14:41 . 2008-04-05 13:34 1,613,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-01 14:41 . 2008-04-05 13:29 19,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-01 14:37 . 2008-04-01 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-01 14:37 . 2008-04-01 14:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-01 14:36 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-01 14:36 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-01 14:35 . 2008-04-01 14:35 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-01 14:33 . 2008-04-05 13:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-01 12:04 . 2008-04-01 12:04 <DIR> d-------- C:\Program Files\Avira
2008-04-01 12:04 . 2008-04-01 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-31 17:52 . 2008-03-31 17:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-31 17:52 . 2008-03-31 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 17:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-05 16:22 --------- d-----w C:\Program Files\iTunes
2008-04-05 16:21 --------- d-----w C:\Program Files\iPod
2008-04-05 16:17 --------- d-----w C:\Program Files\QuickTime
2008-04-05 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-04 01:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-03 21:17 --------- d-----w C:\Program Files\SymNetDrv
2008-04-03 20:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 21:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 11:03 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-09 00:30 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-02-09 00:30 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-02-08 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 19:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-07 02:25 --------- d-----w C:\Program Files\STOPzilla!
2008-02-07 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-05 20:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-05 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 18:48 --------- d-----w C:\Program Files\Trend Micro
2008-02-05 18:43 4,121 ----a-w C:\WINDOWS\viassary-hp.reg
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-01 14:26 249896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 04:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-27 11:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2006-08-17 18:03:41 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 13:33:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SYMTDI]
"ImagePath"="-"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-05 13:42:43 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-05 21:42:31
ComboFix2.txt 2008-04-05 19:05:43
Pre-Run: 1,992,495,104 bytes free
Post-Run: 1,973,944,320 bytes free
.
2008-03-12 11:03:24 --- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:20 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3072 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:37 PM

Posted 06 April 2008 - 02:00 AM

Hi,

This looks Ok again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 wesrokin

wesrokin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 06 April 2008 - 12:25 PM

Things are running great now, thank you so much for your help. I probably just need to defrag the drive and get a little more memory and it'll be running like a charm. Can you recommend a resource for learning more about adware trojans etc?


Thanks again for your help,

Travis

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:37 PM

Posted 06 April 2008 - 02:06 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:37 PM

Posted 09 April 2008 - 01:49 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users