Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection(s) - Please Help


  • Please log in to reply
10 replies to this topic

#1 NoTread

NoTread

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 April 2008 - 03:47 PM

Hi guys, I was hoping you could help me with a stubborn infection. I am not an expert but I know a little bit and have always been able to hold my own, but this time I can't seem to win. Some history on this issue... It started with a PDF file my wife downloaded which was supposed to be a cellphone manual. At least that is what i was told. I do not know what the current infection is. I can't find it. AVG blocked a lot of things and put them in the vault. Here is what AVG has found:

Can't cut and paste so typos are mine.

Trojan horse Generic10.IWM C:\windows\system32\atgban.dll
Trojan horse Generic10.HID C:\windows\system3iifedaAq.dll
Trojan horse Dowloader.Agent.15.A C:\doc. & set.\micron\local settings\temp. inet...\wavvsnet[1].exe
Trojan horse Dowloader.Purityscan.Y C:\DOCUME~1\Micron\LOCALS~1\Temp\yazzsnet.exe
Trojan horse Downloader.Generic7.EXX C:\WINDOWS\system32\bharebio01\bharebio011065.exe
Virus Win32/PolyCrypt C:\WINDOWS\system32\kdkwt.exe
Trojan horse Downloader.Generic3.SZP C:\WINDOWS\system32\ExTmp\bmv35gui.exe
Trojan horse Downloader.Agent.15.A C:\WINDOWS\system32\ax\/\weag2NT.exe
Trojan horse Lop.4.A C:\WINDOWS\system32\pinz1\cegmgr76.exe
Virus Vundo C:\DOCUME~1\Micron\LOCALS~1\Temp\rasesnet.ext
Virus Vundo C:\...\temp. inet\...\rasesnet[1].exe
Trojan horse Downloader.Generic7.ECP C:\KoD.exe
Trojan horse BHO.DJQ C:\WINDOWS\TinyBHO.dll

I think that is all of them.

Almost right away, it became apparent that something got past AVG because a "AntiSpywareMaster" showed up in the bottom right and pop ups kept comming up. In addition, if you attempt to go to a known antivirus or antispyware webpage it is immedietly forwarded off to other fake pages.

I responded by pulling my network card, turning off system restore, emptying my temp inet cache and doing a full scan with AVG. Everything seemed clean, and of course that isn't the case. Ran spybot s&d. It only found some cookies and 1 registry entry. (Sorry, i forget what now).

Rebooted to safe mode, and ran AVG. Came up clean. Ran spybot s&d.. Came up clean aside from some cookies it must have missed.

Rebooted to windows. Infection was still there. Downloaded AVAST because I have prior experience with it. Installed it, and disabled AVG. Avast's boot up scan was clean, but when XP loaded, Avast warned of a rootkit. It asked if i wanted to delete it. (it did not name it). I said yes. Rebooted again. System still infected. Rebooted to safe mode: Still comes up clean.

Downloaded Ad-aware. ran it both in regular and safe mode. It came up clean (aside from more cookies) both times.

Looked up Vundo Virus.. Downloaded Vundofix. Came up clean.

Downloaded blacklight rootkit revealer... Came up clean. Rebooted to safe mode. Wouldnt run from safe mode. Rebooted to normal and it came up with one file. (kdkwt.exe)

Re attempted virus scan with Avast... Still clean. Back to safe mode, comes up clean. Rebooted to normal and infection presists. Uninstalled Avast, reenabled AVG. Repeated scans both in normal and safe mode.. all come up clean. Infection still presists.

Went to .\program files\antispywaremaster\ deleted asm.exe.
Removed the registry entry pointing to it with spybot s&d
rebooted... infection persists with the pop ups and the forwarding of antivirus websites however AntiSpywareManager is no longer in the bar or annoying me with its pop up alerts and fake scans.

Downloaded XoftSpySe... Ran it... Found nothing signifigent. Uninstalled it.

And now, Here i am. Short of a recovery disk (which I do not have one made), I do not know what to do.

Am I rooted? Please help! Sorry for the long explination but i thought it may be of use to anyone who can help me.

As a side note, winpcap, wireshark, and netstumbler are all supposed to be on the system and are occasionly used for work purposes. And the protector suite is the tools that make the biometric thumbprint security on this laptop work.


Logs follow:

Deckard's System Scanner v20071014.68
Run by Micron on 2008-04-08 15:56:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-08 19:56:16 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Micron.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:47 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Protector Suite\PwdProt.exe
C:\Program Files\Protector Suite\FDBkgr.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Belkin\F5D7010v7032\Belkinwcui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Micron\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Micron.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\system32\atgban.dll (file missing)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\ddcCTliH.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\Protector Suite\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [Password Protector] "C:\Program Files\Protector Suite\PwdProt.exe" /startup
O4 - HKLM\..\Run: [FileDisk Protector] "C:\Program Files\Protector Suite\FDBkgr.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CA19B0A-EB58-48B1-BBE6-CF245B081786}: NameServer = 85.255.116.58,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{134DF798-8FFD-431C-9274-D2C0955542F9}: NameServer = 85.255.116.58,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{396E2D0F-DDA7-43E9-9AB9-2EAAE9E1546A}: NameServer = 85.255.116.58,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DCFE7A6-C0CE-47E6-9472-27FC10A90C22}: NameServer = 85.255.116.58,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5EEEC76-C925-4C29-897A-18FC5BC3831F}: NameServer = 85.255.116.58,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA60509B-8642-4A91-9EEF-347200649ABE}: NameServer = 85.255.116.58,85.255.112.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.58 85.255.112.181
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CA19B0A-EB58-48B1-BBE6-CF245B081786}: NameServer = 85.255.116.58,85.255.112.181
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.58 85.255.112.181
O20 - Winlogon Notify: ddcCTliH - C:\WINDOWS\SYSTEM32\ddcCTliH.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Digital Home 8\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: vtserver - STMicroelectronics - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 8156 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 httpp - c:\windows\system32\drivers\httpp.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 FileDisk2 (FileDisk Protector Kernel Driver) - c:\windows\system32\drivers\filedisk.sys <Not Verified; STMicroelectronics; TouchChip Protector Suite>
R3 tapvpn (TAP VPN Adapter) - c:\windows\system32\drivers\tapvpn.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>

S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); NetStumbler>
S3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 vtserver - "c:\program files\common files\virtual token\vtserver.exe" <Not Verified; STMicroelectronics; TouchChip Protector Suite>

S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 15:50:55 51232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-08 15:43:14 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-08 15:42:58 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-08 15:42:44 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-04-08 15:38:48 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-08 15:31:43 0 d-------- C:\WINDOWS\Internet Logs
2008-04-08 15:28:53 268224 --a------ C:\WINDOWS\system32\iifedaAq.dll
2008-04-08 15:26:21 36864 --a------ C:\WINDOWS\system32\awtrQGax.dll
2008-04-08 15:23:48 36864 --a------ C:\WINDOWS\system32\ddcCTliH.dll
2008-04-08 11:16:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-08 11:16:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-08 10:31:49 0 d-------- C:\Program Files\Trend Micro
2008-04-08 09:13:54 22016 --a------ C:\WINDOWS\system32\drivers\svchost.exe
2008-04-08 03:10:43 3072 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 02:47:28 0 d-------- C:\Program Files\XoftSpySE
2008-04-08 02:12:04 0 d-------- C:\Program Files\Lavasoft
2008-04-08 02:12:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-08 01:56:12 0 d-------- C:\VundoFix Backups
2008-04-08 00:19:50 0 d-------- C:\Program Files\Alwil Software
2008-04-07 19:05:06 0 d-------- C:\Program Files\AntiSpywareMaster
2008-04-07 19:01:24 39883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-04-07 19:01:20 86144 --a------ C:\WINDOWS\system32\drivers\httpp.sys
2008-04-07 19:01:18 0 d-------- C:\WINDOWS\system32\wii
2008-04-07 19:01:18 0 d-------- C:\WINDOWS\system32\pinz1
2008-04-07 19:01:18 0 d-------- C:\WINDOWS\system32\IDE2
2008-04-07 19:01:18 0 d-------- C:\WINDOWS\system32\ExTmp
2008-04-07 19:01:18 0 d-------- C:\WINDOWS\system32\axV
2008-04-07 19:01:14 0 d-------- C:\WINDOWS\system32\bharebio01
2008-04-07 19:01:14 0 d-------- C:\Temp
2008-04-07 11:06:48 0 d-------- C:\Documents and Settings\Micron\Application Data\Apple Computer
2008-04-07 11:02:07 0 d-------- C:\Program Files\QuickTime
2008-04-07 11:02:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-07 11:01:27 0 d-------- C:\Program Files\Apple Software Update
2008-04-07 11:01:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-03 21:43:25 0 d-------- C:\WINDOWS\Sun
2008-04-03 21:43:25 0 d-------- C:\Documents and Settings\Micron\Application Data\Sun
2008-04-02 00:07:10 0 d-------- C:\Incomplete
2008-04-02 00:06:18 0 d-------- C:\Documents and Settings\Micron\Application Data\LimeWire
2008-04-01 19:29:34 0 d-------- C:\Documents and Settings\Micron\Application Data\JLC's Software
2008-04-01 19:22:35 0 d-------- C:\Program Files\Java
2008-04-01 19:20:46 0 d-------- C:\Program Files\Common Files\Java
2008-04-01 19:20:19 0 d-------- C:\Program Files\LimeWire
2008-04-01 19:19:58 0 d-------- C:\Program Files\JLC's Software
2008-04-01 19:19:07 0 d-------- C:\Program Files\Hotspot Shield
2008-04-01 19:17:11 0 d-------- C:\Program Files\HCC Lite
2008-03-31 11:55:29 0 d-------- C:\Program Files\IrfanView
2008-03-23 18:39:35 0 d-------- C:\Documents and Settings\Micron\Application Data\BitTorrent
2008-03-23 18:39:20 0 d-------- C:\Program Files\DNA
2008-03-23 18:39:20 0 d-------- C:\Program Files\BitTorrent
2008-03-23 18:39:20 0 d-------- C:\Documents and Settings\Micron\Application Data\DNA
2008-03-23 18:35:47 0 d-------- C:\Program Files\BitTyrant
2008-03-17 13:44:03 0 d--h----- C:\WINDOWS\PIF
2008-03-17 13:32:31 0 d-------- C:\word
2008-03-13 04:27:44 0 d-------- C:\Program Files\Google
2008-03-13 04:27:44 0 d-------- C:\Documents and Settings\Micron\Application Data\Google
2008-03-12 22:38:28 27136 --a------ C:\WINDOWS\system32\drivers\tapvpn.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>
2008-03-10 19:42:01 0 d-------- C:\Documents and Settings\Micron\Application Data\U3


-- Find3M Report ---------------------------------------------------------------

2008-04-08 11:03:07 0 d-------- C:\Documents and Settings\Micron\Application Data\AVG7
2008-04-08 02:10:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 19:20:46 0 d-------- C:\Program Files\Common Files
2008-03-04 15:11:40 0 d-------- C:\Documents and Settings\Micron\Application Data\Roxio
2008-02-29 17:26:32 0 d-------- C:\Program Files\Eraser
2008-02-29 13:33:45 0 d-------- C:\Program Files\WinPcap
2008-02-29 13:26:33 0 d-------- C:\Documents and Settings\Micron\Application Data\Adobe
2008-02-29 02:51:21 0 d-------- C:\Program Files\RarZilla Free Unrar
2008-02-29 02:51:02 0 d-------- C:\Program Files\Network Stumbler
2008-02-29 02:31:28 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-29 02:11:07 0 d-------- C:\Documents and Settings\Micron\Application Data\Macromedia
2008-02-28 17:32:18 0 d-------- C:\Documents and Settings\Micron\Application Data\Wireshark
2008-02-28 17:31:39 0 d-------- C:\Program Files\Wireshark
2008-02-28 00:17:01 0 d-------- C:\Documents and Settings\Micron\Application Data\MySpace
2008-02-28 00:16:56 0 d-------- C:\Program Files\MySpace
2008-02-27 19:52:09 0 d-------- C:\Program Files\Protector Suite
2008-02-27 19:43:13 0 d-------- C:\Program Files\Belkin
2008-02-27 19:43:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-27 19:43:03 0 d-------- C:\Documents and Settings\Micron\Application Data\InstallShield
2008-02-19 13:12:29 0 d-------- C:\Program Files\CyberLink
2008-02-19 13:11:13 502272 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-19 13:00:27 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-19 13:00:22 0 d-------- C:\Program Files\Roxio
2008-02-19 13:00:14 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-19 12:59:27 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-19 12:57:58 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-19 12:52:16 0 d-------- C:\Program Files\DivX
2008-02-19 12:38:08 0 d-------- C:\Program Files\Common Files\Virtual Token
2008-02-19 11:55:30 0 d-------- C:\Documents and Settings\Micron\Application Data\Help
2008-02-19 10:47:36 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-02-19 10:45:47 0 d-------- C:\Program Files\Common Files\L&H
2008-02-18 23:27:21 0 d-------- C:\Documents and Settings\Micron\Application Data\Identities
2008-02-18 23:03:08 0 d-------- C:\Program Files\microsoft frontpage
2008-02-18 23:02:22 0 -rahs---- C:\MSDOS.SYS
2008-02-18 23:02:22 0 -rahs---- C:\IO.SYS
2008-02-18 23:02:22 0 --a------ C:\CONFIG.SYS
2008-02-18 23:02:22 0 --a------ C:\AUTOEXEC.BAT
2008-02-18 23:00:09 0 d--h----- C:\Program Files\WindowsUpdate
2008-02-18 23:00:02 0 d-------- C:\Program Files\Online Services
2008-02-18 22:59:04 0 d-------- C:\Program Files\Common Files\MSSoap
2008-02-18 22:58:54 0 d-------- C:\Program Files\Movie Maker
2008-02-18 22:57:47 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-18 22:57:05 0 d-------- C:\Program Files\Messenger
2008-02-18 22:56:59 0 d-------- C:\Program Files\MSN Gaming Zone
2008-02-18 22:56:48 0 d-------- C:\Program Files\Windows NT
2008-02-18 17:07:17 0 d-------- C:\Program Files\Common Files\ODBC
2008-02-18 17:07:13 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-02-18 17:06:42 62 --ahs---- C:\Documents and Settings\Micron\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B435F6-B6CE-4F24-A568-944B27ED919C}]
C:\WINDOWS\system32\atgban.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
04/08/2008 03:23 PM 36864 --a------ C:\WINDOWS\system32\ddcCTliH.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 04:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [02/07/2002 11:10 PM C:\WINDOWS\system32\atiptaxx.exe]
"LTSMMSG"="LTSMMSG.exe" [06/19/2001 01:26 PM C:\WINDOWS\LTSMMSG.exe]
"ControlCenter"="C:\Program Files\Protector Suite\ctlcntr.exe" [06/28/2002 01:33 PM]
"Password Protector"="C:\Program Files\Protector Suite\PwdProt.exe" [06/28/2002 01:41 PM]
"FileDisk Protector"="C:\Program Files\Protector Suite\FDBkgr.exe" [06/28/2002 01:41 PM]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [08/18/2006 05:42 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/29/2008 01:55 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"PostSetupCheck"="C:\WINDOWS\system32\atgban.dll" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [02/01/2008 04:32 PM]
"SVCHOST.EXE"="C:\WINDOWS\system32\drivers\svchost.exe" [04/08/2008 09:13 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Notebook Card Client Utility.lnk - C:\Program Files\Belkin\F5D7010v7032\Belkinwcui.exe [2/27/2008 7:43:16 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINDOWS\system32\ddcCTliH.dll [04/08/2008 03:23 PM 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdkwt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCTliH]
ddcCTliH.dll 04/08/2008 03:23 PM 36864 C:\WINDOWS\system32\ddcCTliH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Program Files\Protector Suite\psfus.dll 06/28/2002 01:40 PM 83026 C:\Program Files\Protector Suite\psfus.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"IM Sniffer"=
"AntiSpywareMaster"=C:\Program Files\AntiSpywareMaster\asm.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9968baf4-ea79-11dc-b670-00173fd6a8c4}]
AutoRun\command- wscript go.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cba9ad70-e709-11dc-b667-0000f070758d}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \WIP\CMD\go.exe

*Newly Created Service* - KLIF
*Newly Created Service* - SRESCAN
*Newly Created Service* - VSMON



-- End of Deckard's System Scanner: finished at 2008-04-08 15:59:56 ------------






Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile Intel® Pentium® 4 - M CPU 1.80GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 510.98 MiB / 233.41 MiB
Pagefile Memory (total/avail): 1249.63 MiB / 939.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.98 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 44.71 GiB total, 31.04 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25T048ATDA05-0 - 44.71 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 44.71 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.)
AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Cain\\Cain.exe"="C:\\Program Files\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Cain2\\Cain.exe"="C:\\Program Files\\Cain2\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\Program Files\\Roxio\\Digital Home 8\\RoxUpnpServer.exe"="C:\\Program Files\\Roxio\\Digital Home 8\\RoxUpnpServer.exe:*:Enabled:Roxio Upnp Service"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Micron\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOWORD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Micron
LOGONSERVER=\\YOWORD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\Roxio Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Micron\LOCALS~1\Temp
TMP=C:\DOCUME~1\Micron\LOCALS~1\Temp
tvdumpflags=8
USERNAME=Micron
USERPROFILE=C:\Documents and Settings\Micron
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Micron (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{26792CA7-D87A-4DBE-896B-C2F66B344511}
--> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
--> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
--> MsiExec.exe /I{6D4F02C4-F6AF-4659-A933-7FC06235A8D5}
--> MsiExec.exe /I{7FD9FD10-9F7F-4DDF-B9F0-911209FF0CEA}
--> MsiExec.exe /I{8C60949A-46F9-4DD7-BA9F-78C00D9D4C8D}
--> MsiExec.exe /I{E409A5D4-27E1-4479-ACA7-4DAF259612C4}
--> MsiExec.exe /I{EB748B9B-F872-4E95-98E8-5CA7E5425DAF}
--> MsiExec.exe /I{F0EACC27-A729-406C-9BF6-C8F10CEC36F8}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
Belkin Wireless G Notebook Card Software --> C:\Program Files\InstallShield Installation Information\{4E64920B-C80B-4B1C-9DF1-FBCB68029629}\SETUP.EXE -v"ISSCRIPTCMDLINE=\"-d -zREMOVE\"" -l0x0009 -removeonly
BitTorrent --> C:\Program Files\BitTorrent\uninst.exe
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
Enhancement Browser Tools Targetedbanner --> C:\WINDOWS\system32\targetedbanner-uninst.exe
Eraser --> "C:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe" REMOVE=TRUE MODIFY=FALSE
Eraser --> C:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HCC Lite --> C:\PROGRA~1\HCCLIT~1\UNWISE.EXE C:\PROGRA~1\HCCLIT~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotspot Shield 1.03a --> C:\Program Files\Hotspot Shield\Uninstall.exe
IM Sniffer 0.9 Optimized --> "C:\Program Files\IM Sniffer\uninstall.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
JLC's Internet TV --> "C:\Program Files\JLC's Software\Internet TV\Uninstall.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire PRO 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Network Stumbler 0.4.0 (remove only) --> "C:\Program Files\Network Stumbler\uninst.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RarZilla Free Unrar 2.52 --> C:\Program Files\RarZilla Free Unrar\uninstall.exe
Roxio Creator 8.2 XE --> MsiExec.exe /I{00F0E3D5-D6C8-4997-BB42-7F5784C8586B}
SENS LT56ADW Modem --> agrsmdel
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
WinPcap 3.0 --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
Wireshark 0.99.8 --> "C:\Program Files\Wireshark\uninstall.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type862 / Error
Event Submitted/Written: 04/08/2008 03:26:17 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-08 19:26:17,137 YOWORD [002028:000232] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(592) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type861 / Error
Event Submitted/Written: 04/08/2008 03:23:48 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-08 19:23:48,994 YOWORD [002028:000232] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2708) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type860 / Error
Event Submitted/Written: 04/08/2008 03:23:48 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-08 19:23:48,403 YOWORD [002028:000232] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2716) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type835 / Error
Event Submitted/Written: 04/08/2008 09:33:27 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type813 / Error
Event Submitted/Written: 04/08/2008 01:12:08 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-08 05:12:08,289 YOWORD [000604:000696] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(3524) call failed with WIN32 error 87, returning session id is 0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2908 / Error
Event Submitted/Written: 04/08/2008 03:53:12 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SjyPkt service failed to start due to the following error:
%%2

Event Record #/Type2906 / Error
Event Submitted/Written: 04/08/2008 03:53:12 PM
Event ID/Source: 7006 / Service Control Manager
Event Description:
The ScRegSetValueExW call failed for DeleteFlag with the following error:
%%5

Event Record #/Type2905 / Error
Event Submitted/Written: 04/08/2008 03:53:12 PM
Event ID/Source: 7006 / Service Control Manager
Event Description:
The ScRegSetValueExW call failed for DeleteFlag with the following error:
%%5

Event Record #/Type2859 / Error
Event Submitted/Written: 04/08/2008 03:17:00 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SjyPkt service failed to start due to the following error:
%%2

Event Record #/Type2842 / Error
Event Submitted/Written: 04/08/2008 03:13:59 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-04-08 15:59:56 ------------



Thank you in advanced for your help!

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:57 PM

Posted 08 April 2008 - 05:44 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.
Let's not give up hope with this system yet, I believe we can save it! :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\system32\atgban.dll
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\ddcCTliH.dll
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O20 - Winlogon Notify: ddcCTliH - C:\WINDOWS\SYSTEM32\ddcCTliH.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=""

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\drivers\httpp.sys
C:\WINDOWS\system32\iifedaAq.dll
C:\WINDOWS\system32\awtrQGax.dll
C:\WINDOWS\system32\drivers\svchost.exe <---do not delete 'svchost.exe' in any other location!
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\system32\wii <--folder
C:\WINDOWS\system32\pinz1 <--folder
C:\WINDOWS\system32\IDE2 <--folder
C:\WINDOWS\system32\ExTmp <--folder
C:\WINDOWS\system32\axV <--folder
C:\WINDOWS\system32\bharebio01 <--folder
C:\WINDOWS\system32\kdkwt.exe

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back into normal mode.

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Edited by D-Trojanator, 08 April 2008 - 05:45 PM.


#3 NoTread

NoTread
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 April 2008 - 10:13 PM

First off, Thank you so much for your help so far! In the first step with Hijackthis, only one of those entries was still present. In the step with eliminating the physical files, one file was missing. Otherwise everything is going well so far. Here is the report from fixwareout. Combofix log and hijackthis log will follow. Thanks again for your rapid response!





Username "Micron" - 04/08/2008 23:00:51 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.58 85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0CA19B0A-EB58-48B1-BBE6-CF245B081786}
"nameserver"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{134DF798-8FFD-431C-9274-D2C0955542F9}
"nameserver"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{396E2D0F-DDA7-43E9-9AB9-2EAAE9E1546A}
"nameserver"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{5DCFE7A6-C0CE-47E6-9472-27FC10A90C22}
"nameserver"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C5EEEC76-C925-4C29-897A-18FC5BC3831F}
"nameserver"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{FA60509B-8642-4A91-9EEF-347200649ABE}
"nameserver"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0CA19B0A-EB58-48B1-BBE6-CF245B081786}
"DhcpNameServer"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{396E2D0F-DDA7-43E9-9AB9-2EAAE9E1546A}
"DhcpNameServer"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{5DCFE7A6-C0CE-47E6-9472-27FC10A90C22}
"DhcpNameServer"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9BE516FE-2EAC-4835-8DBF-B4B6785189DF}
"DhcpNameServer"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C5EEEC76-C925-4C29-897A-18FC5BC3831F}
"DhcpNameServer"="85.255.116.58,85.255.112.181" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{FA60509B-8642-4A91-9EEF-347200649ABE}
"DhcpNameServer"="85.255.116.58,85.255.112.181" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"LTSMMSG"="LTSMMSG.exe"
"ControlCenter"="\"C:\\Program Files\\Protector Suite\\ctlcntr.exe\" /startup"
"Password Protector"="\"C:\\Program Files\\Protector Suite\\PwdProt.exe\" /startup"
"FileDisk Protector"="\"C:\\Program Files\\Protector Suite\\FDBkgr.exe\""
"RoxWatchTray"="\"C:\\Program Files\\Common Files\\Roxio Shared\\SharedCOM8\\RoxWatchTray.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PostSetupCheck"="C:\\WINDOWS\\System32\\Rundll32.exe \"C:\\WINDOWS\\system32\\atgban.dll\" DllStart"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#4 NoTread

NoTread
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 April 2008 - 10:44 PM

Combofix Log and new Hijack this log:

ComboFix 08-04-08.7 - Micron 2008-04-08 23:18:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.200 [GMT -4:00]
Running from: C:\Documents and Settings\Micron\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\ddcCTliH.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\Uxabayxx.ini
C:\WINDOWS\system32\Uxabayxx.ini2
C:\WINDOWS\system32\xxyabaxU.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 23:00 . 2008-04-08 23:06 <DIR> d-------- C:\fixwareout
2008-04-08 18:39 . 2008-04-08 19:54 <DIR> d-------- C:\Program Files\Panda Security
2008-04-08 15:55 . 2008-04-08 15:55 <DIR> d-------- C:\Deckard
2008-04-08 15:50 . 2008-04-08 19:41 241,696 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-08 15:50 . 2008-04-08 19:41 3,908 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-08 15:43 . 2008-04-08 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-08 15:42 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-08 15:42 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-08 15:42 . 2008-04-08 15:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-08 15:38 . 2008-04-08 15:42 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-08 15:38 . 2008-04-08 15:38 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-08 15:38 . 2008-03-13 23:11 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-08 15:38 . 2008-04-08 23:27 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-08 15:31 . 2008-04-08 23:13 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-08 11:16 . 2008-04-08 11:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-08 11:16 . 2008-04-08 11:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-08 10:31 . 2008-04-08 10:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 10:04 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-04-08 02:47 . 2008-04-08 02:59 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-08 02:12 . 2008-04-08 02:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-08 02:12 . 2008-04-08 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-08 01:56 . 2008-04-08 01:56 <DIR> d-------- C:\VundoFix Backups
2008-04-08 00:19 . 2008-04-08 00:19 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-07 19:05 . 2008-04-08 09:05 <DIR> d-------- C:\Program Files\AntiSpywareMaster
2008-04-07 19:01 . 2008-04-07 19:01 <DIR> d-------- C:\Temp\wdlw14
2008-04-07 19:01 . 2008-04-08 23:18 <DIR> d-------- C:\Temp
2008-04-07 11:06 . 2008-04-07 11:06 <DIR> d-------- C:\Documents and Settings\Micron\Application Data\Apple Computer
2008-04-07 11:03 . 2008-04-08 20:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-07 11:03 . 2008-04-07 11:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-07 11:02 . 2008-04-07 11:02 <DIR> d-------- C:\Program Files\QuickTime
2008-04-07 11:02 . 2008-04-07 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-07 11:01 . 2008-04-07 11:01 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-07 11:01 . 2008-04-07 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-03 21:43 . 2008-04-03 21:43 <DIR> d-------- C:\WINDOWS\Sun
2008-04-02 00:07 . 2008-04-07 17:35 <DIR> d-------- C:\Incomplete
2008-04-02 00:06 . 2008-04-07 13:03 <DIR> d-------- C:\Documents and Settings\Micron\Application Data\LimeWire
2008-04-01 19:29 . 2008-04-01 19:29 <DIR> d-------- C:\Documents and Settings\Micron\Application Data\JLC's Software
2008-04-01 19:25 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-01 19:22 . 2008-04-02 17:44 <DIR> d-------- C:\Program Files\Java
2008-04-01 19:20 . 2008-04-01 19:26 <DIR> d-------- C:\Program Files\LimeWire
2008-04-01 19:20 . 2008-04-01 19:20 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-01 19:19 . 2008-04-01 19:19 <DIR> d-------- C:\Program Files\JLC's Software
2008-04-01 19:19 . 2008-04-01 19:19 <DIR> d-------- C:\Program Files\Hotspot Shield
2008-04-01 19:17 . 2008-04-01 19:17 <DIR> d-------- C:\Program Files\HCC Lite
2008-03-31 11:55 . 2008-03-31 11:55 <DIR> d-------- C:\Program Files\IrfanView
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-28 00:06 . 2008-03-28 00:06 557 --a------ C:\crackwep.htm
2008-03-25 13:45 . 2008-03-25 13:45 718,517 --------- C:\193.pdf
2008-03-23 18:39 . 2008-03-23 18:39 <DIR> d-------- C:\Program Files\DNA
2008-03-23 18:39 . 2008-03-23 18:39 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-23 18:39 . 2008-03-24 01:33 <DIR> d-------- C:\Documents and Settings\Micron\Application Data\DNA
2008-03-23 18:39 . 2008-03-23 19:39 <DIR> d-------- C:\Documents and Settings\Micron\Application Data\BitTorrent
2008-03-23 18:35 . 2008-03-24 00:38 <DIR> d-------- C:\Program Files\BitTyrant
2008-03-17 13:56 . 2008-03-17 14:12 <DIR> d-------- C:\Program Files\IM Sniffer
2008-03-17 13:44 . 2008-03-17 13:44 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-17 13:32 . 2008-03-17 14:00 <DIR> d-------- C:\word
2008-03-13 04:27 . 2008-03-13 04:27 <DIR> d-------- C:\Program Files\Google
2008-03-12 22:38 . 2008-03-12 22:38 27,136 --a------ C:\WINDOWS\system32\drivers\tapvpn.sys
2008-03-10 19:42 . 2008-03-28 13:19 <DIR> d-------- C:\Documents and Settings\Micron\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 15:03 --------- d-----w C:\Documents and Settings\Micron\Application Data\AVG7
2008-04-08 06:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-04 19:11 --------- d-----w C:\Documents and Settings\Micron\Application Data\Roxio
2008-02-29 21:26 --------- d-----w C:\Program Files\Eraser
2008-02-29 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-29 17:54 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-29 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-29 17:33 --------- d-----w C:\Program Files\WinPcap
2008-02-29 06:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-29 06:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-29 06:51 --------- d-----w C:\Program Files\RarZilla Free Unrar
2008-02-29 06:51 --------- d-----w C:\Program Files\Network Stumbler
2008-02-29 06:46 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-02-29 06:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-28 21:32 --------- d-----w C:\Documents and Settings\Micron\Application Data\Wireshark
2008-02-28 21:31 --------- d-----w C:\Program Files\Wireshark
2008-02-28 04:17 --------- d-----w C:\Documents and Settings\Micron\Application Data\MySpace
2008-02-28 04:16 --------- d-----w C:\Program Files\MySpace
2008-02-28 02:39 90,112 ----a-w C:\WINDOWS\DUMP6ba7.tmp
2008-02-28 00:14 90,112 ----a-w C:\WINDOWS\DUMP6bc5.tmp
2008-02-28 00:04 90,112 ----a-w C:\WINDOWS\DUMP6c15.tmp
2008-02-27 23:52 --------- d-----w C:\Program Files\Protector Suite
2008-02-27 23:43 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-02-27 23:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 23:43 --------- d-----w C:\Program Files\Belkin
2008-02-27 23:43 --------- d-----w C:\Documents and Settings\Micron\Application Data\InstallShield
2008-02-19 17:12 --------- d-----w C:\Program Files\CyberLink
2008-02-19 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-19 17:11 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-02-19 17:10 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-02-19 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-19 17:00 --------- d-----w C:\Program Files\Roxio
2008-02-19 17:00 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-02-19 17:00 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-02-19 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-19 16:59 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-02-19 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-19 16:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-19 16:52 --------- d-----w C:\Program Files\DivX
2008-02-19 16:38 --------- d-----w C:\Program Files\Common Files\Virtual Token
2008-02-19 14:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-19 14:45 --------- d-----w C:\Program Files\Common Files\L&H
2008-02-19 03:03 --------- d-----w C:\Program Files\microsoft frontpage
.

------- Sigcheck -------

2008-02-19 13:10 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\LastGood\system32\winlogon.exe
2008-02-19 13:11 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B435F6-B6CE-4F24-A568-944B27ED919C}]
C:\WINDOWS\system32\atgban.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-02-07 23:10 315392 C:\WINDOWS\system32\atiptaxx.exe]
"LTSMMSG"="LTSMMSG.exe" [2001-06-19 13:26 45056 C:\WINDOWS\LTSMMSG.exe]
"ControlCenter"="C:\Program Files\Protector Suite\ctlcntr.exe" [2002-06-28 13:33 105556]
"Password Protector"="C:\Program Files\Protector Suite\PwdProt.exe" [2002-06-28 13:41 148571]
"FileDisk Protector"="C:\Program Files\Protector Suite\FDBkgr.exe" [2002-06-28 13:41 32343]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-08-18 17:42 167936]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-29 13:55 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-29 13:53 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Notebook Card Client Utility.lnk - C:\Program Files\Belkin\F5D7010v7032\Belkinwcui.exe [2008-02-27 19:43:16 1560576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCTliH]
ddcCTliH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Program Files\Protector Suite\psfus.dll 2002-06-28 13:40 83026 C:\Program Files\Protector Suite\psfus.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"IM Sniffer"=
"AntiSpywareMaster"=C:\Program Files\AntiSpywareMaster\asm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Cain\\Cain.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Cain2\\Cain.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Roxio\\Digital Home 8\\RoxUpnpServer.exe"=

R2 FileDisk2;FileDisk Protector Kernel Driver;C:\WINDOWS\system32\Drivers\FileDisk.sys [2002-06-28 13:41]
R3 Belkin701F;Belkin Wireless G Notebook Card Service v7;C:\WINDOWS\system32\DRIVERS\BLKWGNv7.sys [2006-10-19 05:42]
R3 LucentSoftModem;SENS LT56ADW Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-06-19 13:26]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 08:19]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-03-12 22:38]
S1 httpp;httpp;C:\WINDOWS\system32\drivers\httpp.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 22:12]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9968baf4-ea79-11dc-b670-00173fd6a8c4}]
\Shell\AutoRun\command - wscript go.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cba9ad70-e709-11dc-b667-0000f070758d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \WIP\CMD\go.exe

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 23:27:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2008-04-08 23:29:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 03:29:08
Pre-Run: 33,152,413,696 bytes free
Post-Run: 33,076,756,480 bytes free






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:11 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Protector Suite\PwdProt.exe
C:\Program Files\Protector Suite\FDBkgr.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Belkin\F5D7010v7032\Belkinwcui.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\system32\atgban.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\Protector Suite\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [Password Protector] "C:\Program Files\Protector Suite\PwdProt.exe" /startup
O4 - HKLM\..\Run: [FileDisk Protector] "C:\Program Files\Protector Suite\FDBkgr.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - Winlogon Notify: ddcCTliH - ddcCTliH.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Digital Home 8\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: vtserver - STMicroelectronics - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 7041 bytes


How's it look? Thanks again! :thumbsup:

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:57 PM

Posted 09 April 2008 - 04:46 AM

Good work! Things are looking a lot better, but there is still quite a bit to be done..

First things first, we need to install the recovery console onto your system; it's an important security and safety feature which you really do need to have installed. You can install the recovery console regardless of whether or not you have the XP cd that came with the operating system - I recommend you download the recovery console installation file from the internet, it's only about 4mb in size, so it shouldn't take too long to download.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop.

If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information:

1) Click on the Start button.
2) Click on the Run menu option.
3) In the Open: field type the following: sysdm.cpl and then click on the OK button.
4) A screen will appear showing information about your installation.
Under the System: category you should see your Windows version and the installed Service Pack.

Once the Microsoft file has finished downloading, close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. This is shown in the following image:
Posted Image
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

#6 NoTread

NoTread
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 09 April 2008 - 09:55 AM

Ok, Here we go:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:57 PM

Posted 09 April 2008 - 12:30 PM

Hey there, looking a lot better, but still some things to do.. :thumbsup:

Find and delete the following folders if they are present:
C:\Program Files\AntiSpywareMaster
C:\Temp

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=-
"AntiSpywareMaster"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCTliH]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Open notepad and copy and paste the following text in the quote box into the window:

@echo off
sc stop SjyPkt
sc stop httpp
sc delete SjyPkt
sc delete httpp

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\system32\atgban.dll (file missing)
O20 - Winlogon Notify: ddcCTliH - ddcCTliH.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#8 NoTread

NoTread
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 09 April 2008 - 03:56 PM

Cool! :thumbsup:
Reports:

Kaspersky

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Micron\LOCALS~1\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.dsf skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Micron\LOCALS~1\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Micron\Application Data\MySpace\IM\Logs\MySpaceIM-20080409-101554.log Object is locked skipped
C:\Documents and Settings\Micron\Application Data\MySpace\IM\SkypeCache\myspace#3aforiant\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Micron\Application Data\MySpace\IM\SkypeCache\myspace#3aforiant\index2.dat Object is locked skipped
C:\Documents and Settings\Micron\Application Data\MySpace\IM\SkypeCache\myspace#3aforiant\profile256.dbb Object is locked skipped
C:\Documents and Settings\Micron\Application Data\MySpace\IM\SkypeCache\myspace#3aforiant\user1024.dbb Object is locked skipped
C:\Documents and Settings\Micron\Application Data\MySpace\IM\SkypeCache\myspace#3aforiant\user256.dbb Object is locked skipped
C:\Documents and Settings\Micron\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\Micron\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Documents and Settings\Micron\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Micron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Micron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Micron\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Micron\Local Settings\History\History.IE5\MSHist012008040920080410\index.dat Object is locked skipped
C:\Documents and Settings\Micron\Local Settings\Temp\~DFD448.tmp Object is locked skipped
C:\Documents and Settings\Micron\Local Settings\Temp\~DFD619.tmp Object is locked skipped
C:\Documents and Settings\Micron\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Micron\Local Settings\Temporary Internet Files\Content.IE5\QHO3ADA5\UserStatusChange[3].html Object is locked skipped
C:\Documents and Settings\Micron\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Micron\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Program Files\Hotspot Shield\log\oas.log Object is locked skipped
C:\Program Files\Net Tools\QuickSniffer.exe Infected: not-a-virus:NetTool.MSIL.Sniffer.a skipped
C:\QooBox\Quarantine\catchme2008-04-08_232619.17.zip/Documents and Settings/Micron/Desktop/catchme.zip/ddcCTliH.dll Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-08_232619.17.zip/Documents and Settings/Micron/Desktop/catchme.zip/xxyabaxU.dll Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-08_232619.17.zip/Documents and Settings/Micron/Desktop/catchme.zip Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-08_232619.17.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8B75F19C-1F96-4208-AEBB-CB467D0832C5}\RP1\A0000005.dll Object is locked skipped
C:\System Volume Information\_restore{8B75F19C-1F96-4208-AEBB-CB467D0832C5}\RP4\A0000201.exe Infected: Trojan.Win32.Agent.jpx skipped
C:\System Volume Information\_restore{8B75F19C-1F96-4208-AEBB-CB467D0832C5}\RP4\A0000202.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{8B75F19C-1F96-4208-AEBB-CB467D0832C5}\RP6\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\YOWORD.ldb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETFB68.tmp Object is locked skipped
C:\WINDOWS\Temp\ZLT03bea.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03bee.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



and a new hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:10 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Protector Suite\PwdProt.exe
C:\Program Files\Protector Suite\FDBkgr.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Belkin\F5D7010v7032\Belkinwcui.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\Protector Suite\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [Password Protector] "C:\Program Files\Protector Suite\PwdProt.exe" /startup
O4 - HKLM\..\Run: [FileDisk Protector] "C:\Program Files\Protector Suite\FDBkgr.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Digital Home 8\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: vtserver - STMicroelectronics - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 7071 bytes

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:57 PM

Posted 09 April 2008 - 04:41 PM

Great! :thumbsup:

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

How is the computer running, I see a clean HJT log!

#10 NoTread

NoTread
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 10 April 2008 - 08:46 AM

Awesome! Thank you so much! Everything seems fine except zonealarm keeps blocking communication to my router for some reason and it ends up killing my internet connection. Not quite sure what is up with that but I don't think it is from malicious code.

Thank you again for all your help!! I just couldn't beat this one and you made it seem so simple. :thumbsup:

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:57 PM

Posted 10 April 2008 - 11:29 AM

Glad I could help! The latest log is looking clean! :thumbsup:

Your firewall might be a bit over zealous with how it protects your PC at the moment; it's common knowledge that Zone Alarm will do everything it possibly can to protect your PC when you have it set on the highest security setting. It could be that a simple tweat of the protection settings will sort out the problem, but I'm afraid I'm not entirely sure how you would do that in the program's settings. It differs from version to version, but you might want to check the help files.. there's a way to do it!

Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users