Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection Resulting In System Instability


  • This topic is locked This topic is locked
12 replies to this topic

#1 Dizzylizard

Dizzylizard

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 04 April 2008 - 05:18 PM

I've been having a problem that seems almost as if someone else is accessing my computer. Programs randomly start and stop (while nobody is near the computer), the system randomly shuts down and restarts, and it sometimes takes three or four cycles through the startup process to actually boot. There are services and processes running that can't be killed, even in administrator accounts. I've followed the instructions at http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/. SpyBot S&D found something called command services that it couldn't delete, and when I ran the kaspersky online scanner, it found 38 infections it couldn't clean because the files were locked. I'm at my wits' end, especially since I have the ZoneAlarm internet security suite and scan daily. Can anyone help?

--------------------------------------------------Deckard's System Scanner Logfile Follows-----------------------------------------
Deckard's System Scanner v20071014.68
Run by Damien on 2008-04-04 16:39:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 96% (more than 75%).
Total Physical Memory: 127 MiB (256 MiB recommended).


-- HijackThis (run as Damien.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:34 PM, on 4/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Documents and Settings\Damien\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Damien.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onecare.live.com/site/en-us/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [kkmo] C:\PROGRA~1\COMMON~1\kkmo\kkmom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168207715421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183838494875
O16 - DPF: {6F0C8A85-8B0D-11D2-801B-00105AA78F4A} (CobAgent4 Class) - http://ecare1a.netopia.com/uhaul/ecare4/co...t_4.2.1.316.cab
O16 - DPF: {7873B468-E762-4143-83E6-7258CB6B5D9D} (ECareAgent Class) - http://ecare1a.netopia.com/uhaul/ecare4/co.../ECareAgent.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcz_device - Unknown owner - C:\WINNT\system32\lxczcoms.exe (file missing)
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 6666 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\winnt\system32\drivers\bantext.sys

S3 TVICHW32 - c:\winnt\system32\drivers\tvichw32.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 SBHookSvc - c:\progra~1\sbcsel~1\smartb~1\sbhooksvc.exe

S2 lxcz_device - c:\winnt\system32\lxczcoms.exe -service (file missing)
S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&15F50029&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&15F50029&0
Service: i8042prt


-- Files created between 2008-03-04 and 2008-04-04 -----------------------------

2008-04-04 15:41:13 0 d-------- C:\Program Files\Trend Micro
2008-04-04 13:08:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 13:08:17 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-04-04 01:10:04 376000 ---h----- C:\WINNT\ShellIconCache
2008-04-03 21:31:12 0 d-------- C:\Documents and Settings\Damien\.housecall6.6
2008-04-03 15:16:14 0 d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-03 13:43:17 0 d-------- C:\Program Files\Lavasoft
2008-04-03 13:43:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 13:40:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 18:51:22 0 d-------- C:\Program Files\Resource Kit
2008-04-01 18:50:45 21264 --a------ C:\Svcmon.exe
2008-04-01 18:42:37 63248 --a------ C:\Sc.exe
2008-04-01 18:42:18 119056 --a------ C:\Reg.exe
2008-03-29 23:42:16 0 d-------- C:\Program Files\Foundstone
2008-03-29 23:41:29 299520 --a------ C:\WINNT\uninst.exe
2008-03-27 01:20:24 163104 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-03-27 01:20:24 3046432 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-03-23 03:20:15 126976 --ah----- C:\Documents and Settings\MONEYBOX$\NTUSER.DAT
2008-03-23 03:20:15 0 d--h----- C:\Documents and Settings\MONEYBOX$\Local Settings
2008-03-23 03:20:15 0 d---s---- C:\Documents and Settings\MONEYBOX$\Cookies
2008-03-23 03:20:15 0 d-------- C:\Documents and Settings\MONEYBOX$\Application Data
2008-03-23 03:20:15 0 d---s---- C:\Documents and Settings\MONEYBOX$\Application Data\Microsoft
2008-03-18 19:15:44 0 d-------- C:\Documents and Settings\Damien\Application Data\FaxCtr
2008-03-18 10:56:29 0 d-------- C:\temp
2008-03-18 10:46:35 98345 --a------ C:\WINNT\system32\IMHOST32.DLL
2008-03-18 10:46:34 339968 --a------ C:\WINNT\system32\IMGMAN32.DLL
2008-03-18 10:45:28 0 d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2008-03-18 10:44:43 0 d-------- C:\Program Files\Lexmark Fax Solutions
2008-03-18 10:43:41 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-03-18 10:37:00 114688 --a------ C:\WINNT\system32\rtscan.dll
2008-03-18 10:36:59 61440 --a------ C:\WINNT\system32\lxczcnv7.dll
2008-03-18 10:36:59 61440 --a------ C:\WINNT\system32\lxczcnv6.dll
2008-03-18 10:36:58 61440 --a------ C:\WINNT\system32\lxczcnv5.dll
2008-03-15 12:05:16 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_614.dat
2008-03-15 12:01:36 0 d-------- C:\c4d4847ef2230b777f1859066a
2008-03-14 23:39:09 0 d-------- C:\Documents and Settings\Damien\.gimp-2.4
2008-03-14 22:09:46 0 d-------- C:\Program Files\Open Clip Art Library
2008-03-14 15:30:36 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-13 12:48:13 0 d-------- C:\4d339b82192309bd5740fd6837a7


-- Find3M Report ---------------------------------------------------------------

2008-04-03 15:22:57 0 d-------- C:\Documents and Settings\Damien\Application Data\OpenOffice.org2
2008-04-03 13:40:47 0 d-a------ C:\Program Files\Common Files
2008-04-01 02:36:23 0 d-------- C:\Program Files\Windows Live Safety Center
2008-03-31 21:02:17 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 21:01:03 0 d-------- C:\Program Files\Ulead Systems
2008-03-31 21:01:02 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 16:27:10 0 d-------- C:\Program Files\Apple Software Update
2008-03-27 01:20:48 4212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-03-15 11:40:05 0 d-------- C:\Documents and Settings\Damien\Application Data\gtk-2.0
2008-03-14 23:18:36 0 d-------- C:\Program Files\GIMP-2.0
2008-03-14 20:41:36 0 d-------- C:\Program Files\KeyScrambler
2008-03-12 23:49:35 0 d-------- C:\Program Files\Java
2008-02-29 21:01:12 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-02-29 19:11:21 0 d-------- C:\Documents and Settings\Damien\Application Data\Adobe
2008-02-28 14:22:34 295 --a------ C:\WINNT\EReg072.dat
2008-02-28 14:18:22 0 d-------- C:\Program Files\Firaxis Games
2008-01-28 19:45:20 110592 --a------ C:\WINNT\SNDREC32.EXE
2008-01-28 17:39:38 118784 --a------ C:\WINNT\dsdxirmv.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/18/03 06:00a C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a]
"Promon.exe"="Promon.exe" [04/13/00 06:34p C:\WINNT\system32\promon.exe]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/05 06:51a]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/08 11:11p]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 10:16p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kkmo"=C:\PROGRA~1\COMMON~1\kkmo\kkmom.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 08/31/06 11:49p 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-04-04 16:44:28 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 94%
Physical Memory (total/avail): 126.42 MiB / 6.63 MiB
Pagefile Memory (total/avail): 493.55 MiB / 229.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1960.62 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 12.32 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD200BB-60AUA1 - 18.64 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.64 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Damien\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MONEYBOX
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Damien
LOGONSERVER=\\MONEYBOX
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\Damien\LOCALS~1\Temp
TMP=C:\DOCUME~1\Damien\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=MONEYBOX
USERNAME=Damien
USERPROFILE=C:\Documents and Settings\Damien
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Customer
Damien (admin)
Corey (admin)
Lauren (admin)
moneybox1 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> -c"C:\Program Files\Ulead Systems\Ulead COOL 360\IS32Inst.dll"
--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\WINNT\$NtUninstallQ818043$\spuninst\spuninst.exe
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Cakewalk Plasma 2003 --> C:\PROGRA~1\Cakewalk\CAKEWA~1\UNWISE.EXE C:\PROGRA~1\Cakewalk\CAKEWA~1\INSTALL.LOG
Digital Camera Driver --> MsiExec.exe /I{171198DA-B256-47EE-9B3B-E079C831FBD7}
DreamStation DXi2 --> C:\WINNT\DSDXIRMV.EXE C:\PROGRAM FILES\CAKEWALK\SHARED DXI\AUDIO SIMULATION\DREAMSTATION DXI2
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\inf\GETPLUSo.INF, DefaultUninstall
GIMP 2.4.5 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP LaserJet 2100 Software --> C:\hplj2100\2100un32.exe
Intel® PRO Network Connections Drivers --> Prounstl.exe
IZArc 3.6 --> "C:\Program Files\IZArc\unins000.exe"
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KeyScrambler --> C:\Program Files\KeyScrambler\uninstall.exe
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINNT\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Baseline Security Analyzer 2.0.1 --> MsiExec.exe /I{7F231232-C309-4401-964A-2A002B6E1ED9}
Microsoft Tool Web Package:NetDiag.exe --> MsiExec.exe /X{D8A07C06-2BD7-4486-9786-7365B2E9B589}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Open Clip Art Library --> "C:\Program Files\Open Clip Art Library\Uninstall Open Clip Art Library.exe"
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
rgcAudio Triangle II DXi2 --> "C:\Program Files\Cakewalk\Shared Dxi\Triangle II\unins000.exe"
Security Update for DirectX 9 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) -->
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Sid Meier's Alpha Centauri --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Firaxis Games\Sid Meier's Alpha Centauri\Uninst.isu"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Ulead COOL 360 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CEA4CA8-CDD4-451C-B673-E8F17BE01B15}\Setup.exe" -l0x9 -uninst
Vision --> C:\WINNT\uninst.exe -f"C:\Program Files\Foundstone\Vision\DeIsL1.isu" -c"C:\Program Files\Foundstone\Vision\_ISREG32.DLL"
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1464 / Warning
Event Submitted/Written: 04/04/2008 03:52:15 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type1463 / Warning
Event Submitted/Written: 04/04/2008 03:52:11 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type1462 / Warning
Event Submitted/Written: 04/04/2008 03:50:54 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 80080005.

Event Record #/Type1459 / Warning
Event Submitted/Written: 04/04/2008 01:16:50 AM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type1458 / Warning
Event Submitted/Written: 04/04/2008 01:16:27 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1509 / Warning
Event Submitted/Written: 04/04/2008 03:53:21 PM
Event ID/Source: 20192 / RemoteAccess
Event Description:
A certificate could not be found. Connections that use the L2TP protocol over IPSec
require the installation of a machine certificate, also known as a computer
certificate. No L2TP calls will be accepted.

Event Record #/Type1508 / Error
Event Submitted/Written: 04/04/2008 03:53:12 PM
Event ID/Source: 20082 / RemoteAccess
Event Description:
The Remote Access Server could not reset lana 0 (the error code is the
data) and will not be active on it.

Event Record #/Type1507 / Error
Event Submitted/Written: 04/04/2008 03:53:12 PM
Event ID/Source: 20082 / RemoteAccess
Event Description:
The Remote Access Server could not reset lana 5 (the error code is the
data) and will not be active on it.

Event Record #/Type1506 / Error
Event Submitted/Written: 04/04/2008 03:50:27 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NwlnkIpx.

Event Record #/Type1505 / Error
Event Submitted/Written: 04/04/2008 03:50:05 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The lxcz_device service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-04-04 16:44:28 ------------

Eagerly awaiting a response...

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:16 AM

Posted 05 April 2008 - 05:55 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Dizzylizard

Dizzylizard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 05 April 2008 - 09:30 PM

Hi Sam! Glad to hear from you so soon!! :thumbsup: I ran ComboFix and have the LogFile attached. I've never run it before so I don't know what it's normal behavior is, but I got a popup during the shutdown process saying my maximum registry size was too small...how do I fix that, and what should it be set at? Also, Spybot S&D autostarted during the reboot and reported a bunch of registry changes . I authorized them (figuring it was being done by CF), and then SB S&D Shut itself down. Then ZoneAlarm reported the following alerts (in this order):

1. Description Registry Editor may have been trying to prevent 'combofix' from running each time your computer is started by modifying the registry key: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Rating Medium
Date / Time 2008/04/05 20:44:18-6:00 GMT
Type Registry
Subtype Delete Value
Data HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,
Program C:\ComboFix\REGT.CFEXE
Action Taken Allowed
Count 1

2. Description NirCmd was trying to launch C:\WINNT\system32\CF15122.exe, or use another program to gain access to privileged resources
Rating High
Date / Time 2008/04/05 20:46:38-6:00 GMT
Type Process
Subtype Spawn Process
Data C:\WINNT\system32\CF15122.exe,
Program C:\WINNT\Nircmd.exe
Action Taken
Count 1

3. Description CATCHME.CFEXE was trying to communicate with C:\WINNT\Explorer.EXE by opening its process
Rating High
Date / Time 2008/04/05 20:46:48-6:00 GMT
Type Process
Subtype Open Process
Data C:\WINNT\Explorer.EXE
Program C:\ComboFix\CATCHME.CFEXE
Action Taken
Count 1

4.Description NirCmd was trying to launch C:\WINNT\system32\CF15122.exe, or use another program to gain access to privileged resources
Rating High
Date / Time 2008/04/05 20:51:06-6:00 GMT
Type Process
Subtype Spawn Process
Data C:\WINNT\system32\CF15122.exe,
Program C:\ComboFix\NIRCMD.CFEXE
Action Taken Allowed (once)
Count 1

5. Description PV.CFEXE was trying to communicate with C:\WINNT\Explorer.EXE by opening its process
Rating High
Date / Time 2008/04/05 20:52:22-6:00 GMT
Type Process
Subtype Open Process
Data C:\WINNT\Explorer.EXE
Program C:\ComboFix\PV.CFEXE
Action Taken Allowed (once)
Count 1

6. Description CATCHME.CFEXE was trying to communicate with \SystemRoot\System32\smss.exe by opening its process
Rating High
Date / Time 2008/04/05 20:53:34-6:00 GMT
Type Process
Subtype Open Process
Data \SystemRoot\System32\smss.exe
Program C:\ComboFix\CATCHME.CFEXE
Action Taken Allowed (once)
Count 1

7. Description CATCHME.CFEXE was trying to communicate with \SystemRoot\System32\smss.exe by opening its process
Rating High
Date / Time 2008/04/05 20:53:50-6:00 GMT
Type Process
Subtype Open Process
Data \SystemRoot\System32\smss.exe
Program C:\ComboFix\CATCHME.CFEXE
Action Taken Allowed (once)
Count 1

8. Description PsExec Service was trying to launch C:\WINNT\system32\CF15122.exe, or use another program to gain access to privileged resources
Rating High
Date / Time 2008/04/05 20:54:10-6:00 GMT
Type Process
Subtype Spawn Process
Data C:\WINNT\system32\CF15122.exe,
Program C:\WINNT\PSEXESVC.EXE
Action Taken Allowed (once)
Count 1

9. Description NirCmd was trying to launch C:\WINNT\system32\CMD.EXE, or use another program to gain access to privileged resources
Rating High
Date / Time 2008/04/05 20:55:30-6:00 GMT
Type Process
Subtype Spawn Process
Data C:\WINNT\system32\CMD.EXE,
Program C:\WINNT\Nircmd.exe
Action Taken Allowed (once)
Count 1

Don't know if it's normal or not, or if I did something wrong, but I wanted you to have all the details...Here's the CF LogFile

-----------------------------ComboFix LogFile Follows-------------------------------------
ComboFix 08-04-04.1 - Damien 04/05/2008 20:35:55.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.30 [GMT -6:00]
Running from: C:\Documents and Settings\Damien\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{0C01D~1
C:\Program Files\Common Files\{0C01D~2
C:\Program Files\Common Files\{3C01D~1
C:\WINNT\sndrec32.exe
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_NwSapAgent


((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-04 15:42 . 08-04-04 15:42 <DIR> d-------- C:\Deckard
2008-04-04 15:41 . 08-04-04 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 13:08 . 08-04-04 13:08 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-04-04 13:08 . 08-04-04 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 12:51 . 08-04-03 21:32 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-04-04 01:10 . 08-04-04 01:10 376,000 ---h----- C:\WINNT\ShellIconCache
2008-04-03 21:31 . 08-04-04 12:56 <DIR> d-------- C:\Documents and Settings\Damien\.housecall6.6
2008-04-03 15:16 . 08-04-03 15:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-03 15:16 . 08-04-03 18:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-03 13:43 . 08-04-03 13:43 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-03 13:43 . 08-04-03 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 13:40 . 08-04-03 13:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 18:51 . 08-04-01 18:55 <DIR> d-------- C:\Program Files\Resource Kit
2008-04-01 18:50 . 99-02-25 07:48 21,264 --a------ C:\Svcmon.exe
2008-04-01 18:42 . 99-03-11 03:46 119,056 --a------ C:\Reg.exe
2008-04-01 18:42 . 99-03-12 23:55 63,248 --a------ C:\Sc.exe
2008-03-29 23:42 . 08-03-29 23:42 <DIR> d-------- C:\Program Files\Foundstone
2008-03-29 23:41 . 98-02-06 22:37 299,520 --a------ C:\WINNT\uninst.exe
2008-03-27 01:20 . 08-04-05 20:47 3,087,648 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-03-27 01:20 . 08-04-05 20:45 389,920 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-03-27 01:20 . 08-04-05 20:39 42,380 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2008-03-27 01:20 . 08-04-05 20:39 37,604 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
2008-03-18 19:15 . 08-03-18 19:15 <DIR> d-------- C:\Documents and Settings\Damien\Application Data\FaxCtr
2008-03-18 10:56 . 08-03-21 13:07 <DIR> d-------- C:\temp
2008-03-18 10:46 . 06-04-28 03:16 339,968 --a------ C:\WINNT\system32\IMGMAN32.DLL
2008-03-18 10:46 . 06-04-28 03:16 98,345 --a------ C:\WINNT\system32\IMHOST32.DLL
2008-03-18 10:46 . 06-04-28 03:16 98,304 --a------ C:\WINNT\system32\IM31XPNG.DEL
2008-03-18 10:46 . 06-04-28 03:16 69,632 --a------ C:\WINNT\system32\IM31XTIF.DEL
2008-03-18 10:46 . 06-04-28 03:16 49,152 --a------ C:\WINNT\system32\IM31IMG.DIL
2008-03-18 10:45 . 08-03-18 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2008-03-18 10:44 . 08-03-31 20:57 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2008-03-18 10:43 . 08-03-18 10:44 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-03-18 10:38 . 08-03-18 10:38 100 --a------ C:\WINNT\Lexstat.ini
2008-03-18 10:37 . 07-02-07 16:57 114,688 --a------ C:\WINNT\system32\rtscan.dll
2008-03-18 10:37 . 07-02-07 16:58 39,899 --a------ C:\WINNT\system32\rtsicis.ini
2008-03-18 10:37 . 03-06-19 12:05 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2008-03-18 10:37 . 03-06-19 12:05 12,592 --a--c--- C:\WINNT\system32\dllcache\usbscan.sys
2008-03-18 10:36 . 06-06-07 12:23 61,440 --a------ C:\WINNT\system32\lxczcnv7.dll
2008-03-18 10:36 . 06-03-07 10:59 61,440 --a------ C:\WINNT\system32\lxczcnv6.dll
2008-03-18 10:36 . 06-01-10 16:11 61,440 --a------ C:\WINNT\system32\lxczcnv5.dll
2008-03-14 23:39 . 08-03-20 15:40 <DIR> d-------- C:\Documents and Settings\Damien\.gimp-2.4
2008-03-14 22:09 . 08-03-14 23:15 <DIR> d-------- C:\Program Files\Open Clip Art Library
2008-03-14 15:30 . 08-03-14 15:32 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 04:38 3,435,008 ----a-w C:\WINNT\Internet Logs\xDB17.tmp
2008-04-04 21:48 3,431,936 ----a-w C:\WINNT\Internet Logs\xDB16.tmp
2008-04-03 21:22 --------- d-----w C:\Documents and Settings\Damien\Application Data\OpenOffice.org2
2008-04-01 08:36 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-01 03:37 3,367,424 ----a-w C:\WINNT\Internet Logs\xDB15.tmp
2008-04-01 03:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-01 03:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 03:01 --------- d-----w C:\Program Files\Ulead Systems
2008-04-01 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 22:27 --------- d-----w C:\Program Files\Apple Software Update
2008-03-30 00:23 3,330,048 ----a-w C:\WINNT\Internet Logs\xDB14.tmp
2008-03-26 02:41 32,032 ----a-w C:\WINNT\Internet Logs\vsmon_2nd_2008_03_25_20_35_01_small.dmp.zip
2008-03-26 02:41 18,708 ----a-w C:\WINNT\Internet Logs\vsmon_2nd_2008_03_25_20_34_21_small.dmp.zip
2008-03-26 02:35 3,318,784 ----a-w C:\WINNT\Internet Logs\xDB13.tmp
2008-03-21 18:10 705,024 ----a-w C:\WINNT\Internet Logs\xDB11.tmp
2008-03-21 18:10 3,314,688 ----a-w C:\WINNT\Internet Logs\xDB12.tmp
2008-03-20 01:56 3,311,616 ----a-w C:\WINNT\Internet Logs\xDB10.tmp
2008-03-18 01:41 42,635 ----a-w C:\WINNT\Internet Logs\vsmon_2nd_2008_03_17_19_31_42_small.dmp.zip
2008-03-18 01:35 3,283,968 ----a-w C:\WINNT\Internet Logs\xDBD.tmp
2008-03-15 17:40 --------- d-----w C:\Documents and Settings\Damien\Application Data\gtk-2.0
2008-03-15 05:18 --------- d-----w C:\Program Files\GIMP-2.0
2008-03-15 02:41 --------- d-----w C:\Program Files\KeyScrambler
2008-03-14 05:11 75,248 ----a-w C:\WINNT\zllsputility.exe
2008-03-14 05:11 1,086,952 ----a-w C:\WINNT\system32\zpeng24.dll
2008-03-13 05:49 --------- d-----w C:\Program Files\Java
2008-03-04 16:49 3,036,672 ----a-w C:\WINNT\Internet Logs\xDBC.tmp
2008-03-04 16:49 1,305,600 ----a-w C:\WINNT\Internet Logs\xDBB.tmp
2008-03-01 03:01 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-02-28 20:18 --------- d-----w C:\Program Files\Firaxis Games
2008-01-29 01:00 2,960,384 ----a-w C:\WINNT\Internet Logs\xDBA.tmp
2008-01-28 23:39 118,784 ----a-w C:\WINNT\dsdxirmv.exe
2007-12-11 17:57 857,600 ----a-w C:\WINNT\Internet Logs\xDBE.tmp
2007-12-11 17:57 2,837,504 ----a-w C:\WINNT\Internet Logs\xDBF.tmp
2007-12-06 15:39 2,825,216 ----a-w C:\WINNT\Internet Logs\xDB9.tmp
2007-12-06 15:25 36,352 ----a-w C:\WINNT\Internet Logs\xDB7.tmp
2007-12-06 15:25 2,823,680 ----a-w C:\WINNT\Internet Logs\xDB8.tmp
2007-12-05 17:31 2,957,824 ----a-w C:\WINNT\Internet Logs\xDB5.tmp
2007-12-05 17:31 2,817,024 ----a-w C:\WINNT\Internet Logs\xDB6.tmp
2007-10-08 14:50 3,800,019 ----a-w C:\WINNT\Internet Logs\tvDebug.zip
2007-09-21 19:03 33,136 ----a-w C:\WINNT\Internet Logs\vsmon_2nd_2007_09_21_14_01_52_small.dmp.zip
2007-09-12 16:00 2,331,648 ----a-w C:\WINNT\Internet Logs\xDB4.tmp
2007-08-10 17:04 2,930,688 ----a-w C:\WINNT\Internet Logs\xDB2.tmp
2007-08-10 17:04 1,951,744 ----a-w C:\WINNT\Internet Logs\xDB3.tmp
2007-07-28 18:01 1,574,912 ----a-w C:\WINNT\Internet Logs\xDB1.tmp
2007-01-07 21:38 271 ---h--w C:\Program Files\desktop.ini
2007-01-07 21:38 21,952 ---h--w C:\Program Files\folder.htt
2003-06-18 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2003-01-13 16:20 278,528 ------w C:\Program Files\internet explorer\plugins\PanoViewer.dll
1999-04-30 21:00 98,304 ------w C:\Program Files\internet explorer\plugins\UPjpeg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-18 06:00 111376 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 144784]
"Promon.exe"="Promon.exe" [00-04-13 18:34 29184 C:\WINNT\system32\promon.exe]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [05-08-24 06:51 442455]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [08-03-13 23:11 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"kkmo"="C:\PROGRA~1\COMMON~1\kkmo\kkmom.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-18 06:00 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06-08-31 23:49 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"wave3"=
"wave4"=
"wave5"=
"wave6"=
"wave7"=
"wave8"=
"wave9"=
"midi2"=
"midi3"=
"midi4"=
"midi5"=
"midi6"=
"midi7"=
"midi8"=
"midi9"=
"aux1"=
"aux2"=
"aux3"=
"aux4"=
"aux5"=
"aux6"=
"aux7"=
"aux8"=
"aux9"=
"mixer2"=
"mixer3"=
"mixer4"=
"mixer5"=
"mixer6"=
"mixer7"=
"mixer8"=
"mixer9"=
"msacm.lhacm"= lhacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

R2 AppleTalk;AppleTalk Protocol;C:\WINNT\system32\DRIVERS\sfmatalk.sys [03-06-18 06:00 ]
R3 KeyScrambler;KeyScrambler;C:\WINNT\system32\drivers\keyscrambler.sys [07-12-29 08:35 ]
S2 lxcz_device;lxcz_device;C:\WINNT\system32\lxczcoms.exe []

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 20:46:53
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
.
**************************************************************************
.
Completion time: 2008-04-05 20:53:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-06 02:52:19
Pre-Run: 13,193,850,880 bytes free
Post-Run: 13,148,823,552 bytes free
.
2008-04-01 23:38:05 --- E O F ---

Thanks for your help, Sam! Just let me know what I need to do!

Attached Files

  • Attached File  log.txt   11.81KB   35 downloads


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:16 AM

Posted 06 April 2008 - 06:14 PM

Thanks for the details, but nothing there out of the ordinary.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Dizzylizard

Dizzylizard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 08 April 2008 - 02:41 AM

Hey Sam...Here are the logfiles you requested...quick sidebar question, if you don't mind: Do I need to uninstall all of these programs I've downloaded, or is it ok to leave them all resident? I know it's bad to have multiple virus prgrams running simultaneously, right? If IU need to delete them all, can you recommend a reliable opensource/freeware anti-virus/spyware and firewall? Obviously, zonealarm isn't doing the job...once we get this cleaned up, I'd kinda like to keep it that way! Thanks again for all your help!
Damien

______________________Super AntiSpyware Log File_______________________________________
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/08/2008 at 02:55 AM

Application Version : 4.0.1154

Core Rules Database Version : 3433
Trace Rules Database Version: 1425

Scan type : Complete Scan
Total Scan Time : 00:56:35

Memory items scanned : 309
Memory threats detected : 0
Registry items scanned : 3561
Registry threats detected : 0
File items scanned : 54015
File threats detected : 55

Adware.Tracking Cookie
C:\Documents and Settings\Damien\Cookies\damien@kontera[2].txt
C:\Documents and Settings\Damien\Cookies\damien@ads.pointroll[1].txt
C:\Documents and Settings\Damien\Cookies\damien@aff.primaryads[1].txt
C:\Documents and Settings\Damien\Cookies\damien@sales.liveperson[2].txt
C:\Documents and Settings\Damien\Cookies\damien@questionmarket[2].txt
C:\Documents and Settings\Damien\Cookies\damien@www.tabletquestions[2].txt
C:\Documents and Settings\Damien\Cookies\damien@serving-sys[2].txt
C:\Documents and Settings\Damien\Cookies\damien@atdmt[2].txt
C:\Documents and Settings\Damien\Cookies\damien@tabletquestions[1].txt
C:\Documents and Settings\Damien\Cookies\damien@1.tracking4rev[2].txt
C:\Documents and Settings\Damien\Cookies\damien@stats.cartfly[1].txt
C:\Documents and Settings\Damien\Cookies\damien@cgi-bin[2].txt
C:\Documents and Settings\Damien\Cookies\damien@coolsavings[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@4.adbrite[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@a.findarticles[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@ad.yieldmanager[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@adlegend[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@adopt.specificclick[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@adrevolver[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@ads.adbrite[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@ads.expedia[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@adserver.adremedy[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@aff.primaryads[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@amtrack[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@anad.tacoda[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@atdmt[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@azjmp[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@brightcove.112.2o7[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@casalemedia[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@clickbank[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@clicktracks.aristotle[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@coolsavings[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@eb.adbureau[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@fastclick[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@findarticles[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@insightexpressai[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@interclick[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@lynxtrack[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@media.adrevolver[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@media303[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@mediactivate[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@mediaplex[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@publishers.clickbooth[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@questionmarket[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@revenue[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@richmedia.yahoo[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@sales.liveperson[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@serving-sys[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@specificclick[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@stats.cartfly[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@tribalfusion[2].txt
C:\Documents and Settings\Customer\Cookies\melissa@windowsmedia[1].txt
C:\Documents and Settings\Customer\Cookies\melissa@www.windowsmedia[1].txt

Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\KKMO\KKMOD\CLASS-BARREL
-------------------------------------------EOF----------------------------------------------------------

----------------------------------HijackThis Log File---------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:41 AM, on 4/8/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onecare.live.com/site/en-us/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [kkmo] C:\PROGRA~1\COMMON~1\kkmo\kkmom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168207715421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183838494875
O16 - DPF: {6F0C8A85-8B0D-11D2-801B-00105AA78F4A} (CobAgent4 Class) - http://ecare1a.netopia.com/uhaul/ecare4/co...t_4.2.1.316.cab
O16 - DPF: {7873B468-E762-4143-83E6-7258CB6B5D9D} (ECareAgent Class) - http://ecare1a.netopia.com/uhaul/ecare4/co.../ECareAgent.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcz_device - Unknown owner - C:\WINNT\system32\lxczcoms.exe (file missing)
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 6687 bytes
----------------------------------EOF---------------------------------------

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:16 AM

Posted 08 April 2008 - 06:14 AM

You must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
=================


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKUS\.DEFAULT\..\Run: [kkmo] C:\PROGRA~1\COMMON~1\kkmo\kkmom.exe (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present




Reboot your computer and post a new hijackthis log.
Let me know how your computer is running now.


=================


Right now it doesn't appear that you have any antivirus running on your computer, which is very dangerous. I like Zone Alarm as a firewall, but prefer AVG as my antivirus program. Here's a link to the free version.

http://free.grisoft.com/

Once you get past the antivirus and the firewall, you should layer in some other protection for antispyware. It's ok to run more than one antispyware program. For example you have Spybot on your computer. That's good. You should also run Adaware and at least on other antispyware program manually, and on a regular basis.

Once we're sure that you're clean I'll post some recommendations for you to prevent this from happening again.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Dizzylizard

Dizzylizard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 10 April 2008 - 01:14 PM

Ok...followed your instructions...also deleted MotiveSB.exe and SBSvcHook, as my research indicated that they're nonessential spacehogs and a potential security risk. Puter seems to be running much more smoothly and a little quicker (memory shortage notwithstanding, of course...that's the next fix after it's all clean:) )
Will AVG interfere/conflict with ZoneAlarm's antivirus? It's included in the security suite, and I've got it set to autoscan every day. It also runs resident with the firewall and scans every package that comes through...it's kinda slow on the definitions updates, though. I also run Spybot S&D's resident program and SuperAntiSpyware's resident program. I'll start running an AdAware scan on a regular basis...weekly sound good? Any other recommendations would also be gratefully accepted!

----------------------------------------HiJackThis Log File Follows--------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:36 PM, on 4/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mobsync.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onecare.live.com/site/en-us/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168207715421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183838494875
O16 - DPF: {6F0C8A85-8B0D-11D2-801B-00105AA78F4A} (CobAgent4 Class) - http://ecare1a.netopia.com/uhaul/ecare4/co...t_4.2.1.316.cab
O16 - DPF: {7873B468-E762-4143-83E6-7258CB6B5D9D} (ECareAgent Class) - http://ecare1a.netopia.com/uhaul/ecare4/co.../ECareAgent.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcz_device - Unknown owner - C:\WINNT\system32\lxczcoms.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 6388 bytes

Once again, Sam, thanks a million for all your help!
Damien

Attached Files



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:16 AM

Posted 10 April 2008 - 05:34 PM

You shouldn't run AVG if you are going to run Zone Alarm's antivirus solution also. You should only ever run one antivirus at a time. That being said, I don't see signs of Zone Alarm running anything other than the firewall. Are you certain that you have the antivirus portion of the program enabled?

Aside from that, your log looks clean to me! :blink:

Just a few last things and you should be good to go! :wacko:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.
http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/


===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Dizzylizard

Dizzylizard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 10 April 2008 - 11:09 PM

You shouldn't run AVG if you are going to run Zone Alarm's antivirus solution also. You should only ever run one antivirus at a time. That being said, I don't see signs of Zone Alarm running anything other than the firewall. Are you certain that you have the antivirus portion of the program enabled?


Yep, on-access scanning is enabled, as is auto-management and scheduled scanning.

Aside from that, your log looks clean to me! :blink:

Just a few last things and you should be good to go! :wacko:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.
http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/

===================

I checked out the tutorial, but it does me no good, since my computer didn't come with a CD. I bought it from a local computer store, and there are apparently a lot of things they decided weren't important to install (like regedit and msconfig, for starters), but I can't install without the CD. Any Ideas?


Next, let's remove Combofix now that we're done with it and clean up a few other things.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    • Posted Image


Ok, all I got was a message "Cannot find combofix.exe (or one of its components). Check the path or filename and make sure it is correct." I did a search and combofix.exe isn't anywhere on my system.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above


On my system settings, I don't have a "system restore" tab...is this part of what I need the CD for?

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      [list=a]
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Ok, I did this, but I don't use explorer much...are there any settings I need to change in firefox?

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Like I said, I have ZoneAlarm's anti-virus and anti-spyware scans set to update and scan daily. I also hit the windows onecare site and have it scan once a week or so.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Is ZoneAlarm enough, or should I uninstall it an try another firewall?

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • I can't get Microsoft update to do anything. It tells me I need software that's only available on the CD, and, as I explained before, I don't have a CD. I have had the little icon in my system tray for a month saying that updates were available, but when I click on it, it just disappears and nothing happens.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • Follow this list and your potential for being infected again will reduce dramatically.

    :thumbsup: :)

    I've got all of those now, and will run them regularly...any other suggestions?
    Thanks again!

    #10 Buckeye_Sam

    Buckeye_Sam

      Malware Expert


    • Members
    • 17,382 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Pickerington, Ohio
    • Local time:09:16 AM

    Posted 11 April 2008 - 01:17 AM

    I checked out the tutorial, but it does me no good, since my computer didn't come with a CD. I bought it from a local computer store, and there are apparently a lot of things they decided weren't important to install (like regedit and msconfig, for starters), but I can't install without the CD. Any Ideas?

    You will need to disc to install the recovery console. You paid for the computer and all the programs on it, including Windows. I'd go back to the store and ask for a disc.


    Ok, all I got was a message "Cannot find combofix.exe (or one of its components). Check the path or filename and make sure it is correct." I did a search and combofix.exe isn't anywhere on my system.

    That's fine if you've deleted it already. When you ran it before the log showed it as being on your desktop.


    On my system settings, I don't have a "system restore" tab...is this part of what I need the CD for?

    You are running Windows 2000, which doesn't include the system restore feature.


    Ok, I did this, but I don't use explorer much...are there any settings I need to change in firefox?

    Firefox by default is much safer than IE. Just make sure that you are always using the most current version.


    Is ZoneAlarm enough, or should I uninstall it an try another firewall?

    I find Zone Alarm to be an excellent firewall, so I recommend keeping it.


    I can't get Microsoft update to do anything. It tells me I need software that's only available on the CD, and, as I explained before, I don't have a CD. I have had the little icon in my system tray for a month saying that updates were available, but when I click on it, it just disappears and nothing happens.

    You can always try visiting the site directly for updates.
    http://windowsupdate.microsoft.com/
    Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


    Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


    ========================================================

    #11 Dizzylizard

    Dizzylizard
    • Topic Starter

    • Members
    • 10 posts
    • OFFLINE
    •  
    • Local time:08:16 AM

    Posted 17 April 2008 - 04:51 PM

    Well, I can't get the CD from the store, as they've gone out of business since then (a victim of Wal-Mart, sadly), but I've got the product ID code (serial number, whatever) on a sticker on the box...can you recommend a site to download the ISO image for Win2KPro? I can't be the first person who's ever lost their CD, right?

    Again, Sam, thank you so much for all your help...If you have time (and if I'm next in line, of course) I have another logfile posted in this same forum for my laptop. I'm not trying to get bumped up ahead of someone else, though, so whoever gets to it gets to it!

    Much love!
    Damien

    #12 Buckeye_Sam

    Buckeye_Sam

      Malware Expert


    • Members
    • 17,382 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Pickerington, Ohio
    • Local time:09:16 AM

    Posted 17 April 2008 - 07:36 PM

    No, I'm certain that you're not the only one to misplace their Windows cd. :thumbsup:
    Unfortunately I'm not sure where to direct you to get a new one now that your store is no longer there. I'd say try Microsoft, but I have a feeling that would just be an exercise in futility.

    I'll take a look at your other log if it's still open.
    Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


    Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


    ========================================================

    #13 Buckeye_Sam

    Buckeye_Sam

      Malware Expert


    • Members
    • 17,382 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Pickerington, Ohio
    • Local time:09:16 AM

    Posted 13 May 2008 - 09:22 AM

    Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
    Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


    Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


    ========================================================




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users