Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Ie Search Hijacking/ Unwanted Popups


  • Please log in to reply
9 replies to this topic

#1 mythdragon

mythdragon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 12 April 2008 - 12:16 AM

Macaffee doesn't find anything, and spybot keeps removing the same things.

When I first turn on my computer, and open IE, I get an extra popup window.
When I try and search in yahoo or google, most of my searches are hijacked and redirected.
Here are some of the sites:
search9.info.com
mamma.com
bizrate.com
bididdle.com
216.133.243.28
64.5.219.20
68.142.200.12
findstuff.com
adwareaway.com
ebay.com
and several others

I so want this to stop, and I've been having a hell of a time trying to clean it. I pretty much stay away from 'bad' sites, so I dont even know where I picked it up.
Thanks for helping me.
Fix this problem, and I'll send you your choice of drink.

Here are my dss logs:
Deckard's System Scanner v20071014.68
Run by Ryan on 2008-04-12 01:05:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
81: 2008-04-12 05:05:37 UTC - RP81 - Deckard's System Scanner Restore Point
80: 2008-04-11 04:52:48 UTC - RP80 - ComboFix created restore point
79: 2008-04-11 04:03:09 UTC - RP79 - Installed McAfee VirusScan
78: 2008-04-10 00:05:45 UTC - RP78 - Installed Java™ 6 Update 5
77: 2008-04-09 02:32:11 UTC - RP77 - System Checkpoint


-- First Restore Point --
1: 2008-02-18 07:47:44 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:13 AM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ryan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {93FF9045-A439-4D52-A414-56B4CE5B3A2F} - C:\WINDOWS\system32\card.dll
O2 - BHO: (no name) - {AD50CDEC-1E12-479A-B36D-FFCCE6E01006} - C:\WINDOWS\system32\card.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203569095453
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5160 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NaiFsRec - c:\windows\system32\drivers\naifsrec.sys
R2 atksgt - c:\windows\system32\drivers\atksgt.sys
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
R3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys

S3 catchme - c:\docume~1\ryan\locals~1\temp\catchme.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-12 01:06:07 0 d-------- C:\Program Files\Trend Micro
2008-04-11 22:49:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-11 22:49:30 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-11 22:49:29 0 d-------- C:\WINDOWS\LastGood
2008-04-11 00:52:05 68096 --a------ C:\WINDOWS\zip.exe
2008-04-11 00:52:05 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-11 00:52:05 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-11 00:52:05 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-11 00:52:05 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-11 00:52:05 98816 --a------ C:\WINDOWS\sed.exe
2008-04-11 00:52:05 80412 --a------ C:\WINDOWS\grep.exe
2008-04-11 00:52:05 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-11 00:15:54 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-11 00:03:30 0 d-------- C:\WINDOWS\system32\Res09
2008-04-11 00:03:28 0 d-------- C:\Program Files\Common Files\Network Associates
2008-04-09 20:12:35 0 d-------- C:\Program Files\EsetOnlineScanner
2008-04-09 20:05:48 0 d-------- C:\Program Files\Java
2008-04-09 20:05:47 0 d-------- C:\Program Files\Common Files\Java
2008-04-09 20:05:34 0 d-------- C:\Documents and Settings\Ryan\Application Data\Sun
2008-04-07 21:26:35 0 d-------- C:\WINDOWS\pss
2008-04-06 23:25:56 0 d-------- C:\Documents and Settings\Ryan\Application Data\Command & Conquer 3 Tiberium Wars
2008-04-06 23:24:25 0 dr-h----- C:\Documents and Settings\Ryan\Application Data\SecuROM
2008-04-06 23:18:05 0 d-------- C:\Documents and Settings\Ryan\Application Data\Command & Conquer 3 Kane's Wrath
2008-04-06 22:04:24 0 d-------- C:\Program Files\Network Associates
2008-04-04 21:29:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-04 20:09:10 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-04 20:09:00 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-04 20:08:30 0 d-------- C:\WINDOWS\Internet Logs
2008-04-04 01:26:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 21:15:12 88064 --a------ C:\WINDOWS\system32\card.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-11 01:02:57 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000006-00001102-00000004-20021102}.dat
2008-04-11 01:02:57 384 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000006-00001102-00000004-20021102}.dat
2008-04-11 00:03:28 0 d-------- C:\Program Files\Common Files
2008-04-04 22:14:51 0 d-------- C:\Program Files\Messenger
2008-03-04 01:08:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-04 00:56:55 0 --a------ C:\WINDOWS\PowerReg.dat
2008-03-01 22:57:47 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-02-27 22:36:30 0 d-------- C:\Documents and Settings\Ryan\Application Data\Help
2008-02-23 09:45:54 0 d-------- C:\Program Files\Lexmark 3100 Series
2008-02-22 22:04:00 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-22 21:22:54 0 d-------- C:\Documents and Settings\Ryan\Application Data\Macromedia
2008-02-22 21:22:54 0 d-------- C:\Documents and Settings\Ryan\Application Data\Adobe
2008-02-20 22:25:05 0 d-------- C:\Documents and Settings\Ryan\Application Data\InterTrust
2008-02-20 20:22:26 0 d-------- C:\Program Files\Creative
2008-02-20 20:22:22 99 --a------ C:\WINDOWS\È
2008-02-20 20:19:27 0 d-------- C:\Documents and Settings\Ryan\Application Data\Creative
2008-02-20 20:18:53 184 --a------ C:\WINDOWS\system32\e000001.dat
2008-02-20 20:12:55 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-18 04:54:14 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-02-18 04:53:03 0 d-------- C:\Program Files\Futuremark
2008-02-18 03:47:26 0 d-------- C:\Documents and Settings\Ryan\Application Data\Identities
2008-02-18 03:39:18 0 d-------- C:\Program Files\microsoft frontpage
2008-02-18 03:39:06 0 -rahs---- C:\MSDOS.SYS
2008-02-18 03:39:06 0 -rahs---- C:\IO.SYS
2008-02-18 03:39:06 0 --a------ C:\CONFIG.SYS
2008-02-18 03:39:06 0 --a------ C:\AUTOEXEC.BAT
2008-02-18 03:36:50 0 d--h----- C:\Program Files\WindowsUpdate
2008-02-18 03:35:23 0 d-------- C:\Program Files\Common Files\MSSoap
2008-02-18 03:35:05 0 d-------- C:\Program Files\Movie Maker
2008-02-18 03:34:16 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-18 03:33:08 0 d-------- C:\Program Files\Online Services
2008-02-18 03:32:54 0 d-------- C:\Program Files\MSN Gaming Zone
2008-02-18 03:32:37 0 d-------- C:\Program Files\Windows NT
2008-02-17 21:55:48 0 d-------- C:\Program Files\Common Files\ODBC
2008-02-17 21:55:41 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-02-17 21:54:58 62 --ahs---- C:\Documents and Settings\Ryan\Application Data\desktop.ini
2008-02-11 09:39:26 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-11 09:39:18 237568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-08 13:53:46 110592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll <Not Verified; ; OnlineScanner Language Library>
2008-02-05 08:48:04 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe <Not Verified; ; OnlineScannerUninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93FF9045-A439-4D52-A414-56B4CE5B3A2F}]
08/04/2004 08:00 AM 88064 --a------ C:\WINDOWS\system32\card.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD50CDEC-1E12-479A-B36D-FFCCE6E01006}]
08/04/2004 08:00 AM 88064 --a------ C:\WINDOWS\system32\card.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/09/2008 06:34 PM]
"nwiz"="nwiz.exe" [01/09/2008 06:34 PM C:\WINDOWS\system32\nwiz.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [09/17/2003 11:43 AM]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [06/18/2003 02:00 AM]
"CTHelper"="CTHELPER.EXE" [10/06/2003 02:57 AM C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [12/03/2002 07:06 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00 AM]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [06/13/2003 03:57 PM]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [07/28/2003 07:50 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [01/09/2008 06:34 PM]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [01/26/2005 05:23 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Setup.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8118 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-12 01:06:39 ------------

**************************************************************************************
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 6000+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 6000+
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 2047.23 MiB / 1434.11 MiB
Pagefile Memory (total/avail): 3940.29 MiB / 3626.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.69 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 34.18 GiB total, 25.79 GiB free.
D: is Fixed (NTFS) - 263.9 GiB total, 181.67 GiB free.
E: is Fixed (NTFS) - 298.09 GiB total, 238.55 GiB free.
F: is CDROM (UDF)
G: is Removable (No Media)
Y: is Fixed (NTFS) - 9.77 GiB total, 2.6 GiB free.
Z: is Fixed (NTFS) - 102.02 GiB total, 19.84 GiB free.

\\.\PHYSICALDRIVE0 - ST3320620AS - 298.09 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 34.18 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 263.9 GiB - D:

\\.\PHYSICALDRIVE1 - WDC WD1200JD-22HBB0 - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 9.77 GiB - Y:
\PARTITION1 - Extended w/Extended Int 13 - 102.02 GiB - Z:

\\.\PHYSICALDRIVE2 - WDC WD3200AAKS-00SBA0 - 298.09 GiB - 1 partition
\PARTITION0 - Installable File System - 298.09 GiB - E:

\\.\PHYSICALDRIVE3 - OEI-USB CF/SM/SD/MS USB Device



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v5.5.062.011 (Zone Labs, Inc.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"E:\\games\\Crysis\\Bin32\\Crysis.exe"="E:\\games\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"E:\\games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="E:\\games\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ryan\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ryan
LOGONSERVER=\\DESKTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4303
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ryan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ryan\LOCALS~1\Temp
tvdumpflags=10
USERDOMAIN=DESKTOP
USERNAME=Ryan
USERPROFILE=C:\Documents and Settings\Ryan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ryan (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2ZS\Program\Ctzapxx.EXE" /W /U /S
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Command & Conquer 3 --> MsiExec.exe /I{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}
Command & Conquer™ 3: Kane's Wrath --> MsiExec.exe /I{CC2422C9-F7B5-4175-B295-5EC2283AA674}
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 /remove
Crysis® --> MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
Gothic III --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{02B244A2-7F6A-42E8-A36F-8C385D7A1625}\setup.exe" -l0x9 -removeonly
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lexmark 3100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBRUN5C.EXE -dLexmark 3100 Series
McAfee VirusScan --> MsiExec.exe /I{87AEFD84-BC0D-11D4-B885-00508B022A51}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
PunkBuster Services --> C:\WINDOWS\system32\pbsvc.exe -u
Sound Blaster Audigy 2 ZS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\SETUP.EXE" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type490 / Error
Event Submitted/Written: 04/06/2008 11:39:12 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application gothic3.exe, version 1.12.26364.0, faulting module gothic3.exe, version 1.12.26364.0, fault address 0x000456ac.
Processing media-specific event for [gothic3.exe!ws!]

Event Record #/Type487 / Error
Event Submitted/Written: 04/06/2008 11:24:09 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application cnc3ep1.dat, version 1.0.2955.37387, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type480 / Error
Event Submitted/Written: 04/06/2008 10:10:43 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007041F from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type477 / Error
Event Submitted/Written: 04/06/2008 10:07:28 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application cnc3.exe, version 0.0.0.0, faulting module cnc3.exe, version 0.0.0.0, fault address 0x00057338.
Processing media-specific event for [cnc3.exe!ws!]

Event Record #/Type476 / Error
Event Submitted/Written: 04/06/2008 09:22:16 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3408 / Error
Event Submitted/Written: 04/12/2008 00:07:55 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort2, did not respond within the timeout period.

Event Record #/Type3392 / Error
Event Submitted/Written: 04/11/2008 10:34:28 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type3358 / Error
Event Submitted/Written: 04/11/2008 00:13:35 AM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the AvSynMgr service.

Event Record #/Type3336 / Error
Event Submitted/Written: 04/10/2008 11:49:11 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type3311 / Error
Event Submitted/Written: 04/10/2008 09:10:08 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-04-12 01:06:39 ------------

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 12 April 2008 - 05:20 AM

Hello there and welcome to Bleeping Computer's security forum. :thumbsup:
My name is David, I will be helping you with your log today.

I think you've got a very rare BHO infection, caused by a file called "card.dll".
Having said that, I can't find any information about it at all, so I will need you to upload the file.
It will probably be a very new virus, and if that's the case we should be able to fix it quite easily..

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please open the Suspicious File Packer you downloaded earlier.
Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\card.dll

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Reboot back to normal mode.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Then, please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 mythdragon

mythdragon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 12 April 2008 - 04:11 PM

Hi Dave

Here is my combofix log:
My previous hijackthis log came AFTER combofix was run.
and I sent the file you requested.
Thanks for the help.

ComboFix 08-04-10.7 - Ryan 2008-04-11 0:53:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1587 [GMT -4:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 00:03 . 2008-04-11 00:03 <DIR> d-------- C:\WINDOWS\system32\Res09
2008-04-11 00:03 . 2008-04-11 00:03 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-04-09 20:12 . 2008-04-09 21:04 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-09 20:06 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-09 20:05 . 2008-04-09 20:06 <DIR> d-------- C:\Program Files\Java
2008-04-09 20:05 . 2008-04-09 20:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-06 23:25 . 2008-04-06 23:45 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Command & Conquer 3 Tiberium Wars
2008-04-06 23:24 . 2008-04-06 23:24 <DIR> dr-h----- C:\Documents and Settings\Ryan\Application Data\SecuROM
2008-04-06 23:18 . 2008-04-06 23:18 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Command & Conquer 3 Kane's Wrath
2008-04-06 23:04 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-04-06 23:04 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-04-06 23:04 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-04-06 23:04 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-04-06 23:04 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-04-06 22:42 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-06 22:04 . 2008-04-11 00:03 <DIR> d-------- C:\Program Files\Network Associates
2008-04-04 22:04 . 2008-04-04 22:04 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-04 20:09 . 2008-04-04 20:09 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-04 20:09 . 2008-04-04 20:09 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-04 20:09 . 2008-04-04 20:09 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-04 20:09 . 2008-04-11 00:06 890 --ah----- C:\WINDOWS\system32\vsconfig.xml
2008-04-04 20:08 . 2008-04-10 23:44 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-04 01:26 . 2008-04-04 01:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-04 01:26 . 2008-04-04 01:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 21:15 . 2004-08-04 08:00 88,064 --a------ C:\WINDOWS\system32\card.dll
2008-04-01 02:55 . 2008-03-19 19:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-01 02:55 . 2008-03-19 19:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 13:32 1,035,776 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-10 13:27 63,488 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-07 03:18 972,800 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-07 03:17 58,368 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-07 03:17 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-04 05:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 02:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-02 02:58 22,328 ----a-w C:\Documents and Settings\Ryan\Application Data\PnkBstrK.sys
2008-03-02 02:57 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-03-02 02:57 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-02 02:57 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-23 13:45 --------- d-----w C:\Program Files\Lexmark 3100 Series
2008-02-23 02:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 02:25 --------- d-----w C:\Documents and Settings\Ryan\Application Data\InterTrust
2008-02-21 02:23 271,360 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-21 02:23 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-02-21 00:22 --------- d-----w C:\Program Files\Creative
2008-02-21 00:19 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Creative
2008-02-21 00:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-18 08:54 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-18 08:53 --------- d-----w C:\Program Files\Futuremark
2008-02-18 07:39 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD50CDEC-1E12-479A-B36D-FFCCE6E01006}]
2004-08-04 08:00 88064 --a------ C:\WINDOWS\system32\card.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-09 18:34 13508608]
"nwiz"="nwiz.exe" [2008-01-09 18:34 1626112 C:\WINDOWS\system32\nwiz.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-10-06 02:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 15:57 294912]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 19:50 106496]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-09 18:34 86016]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-01-26 05:23 902936]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"E:\\games\\Crysis\\Bin32\\Crysis.exe"=
"E:\\games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys [2001-04-30 04:51]
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" [2001-04-30 04:51]
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2003-03-05 03:07]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 23:31]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-08-29 15:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe

*Newly Created Service* - AVSYNMGR
*Newly Created Service* - CATCHME
*Newly Created Service* - MCSHIELD
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 00:57:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 0:58:51
ComboFix-quarantined-files.txt 2008-04-11 04:58:41
Pre-Run: 27,239,034,880 bytes free
Post-Run: 27,228,499,968 bytes free

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 12 April 2008 - 06:28 PM

First things first, we need to install the recovery console onto your system; it's an important security and safety feature which you really do need to have installed. You can install the recovery console regardless of whether or not you have the XP cd that came with the operating system - I recommend you download the recovery console installation file from the internet, it's only about 4mb in size, so it shouldn't take too long to download.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop.

If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information:

1) Click on the Start button.
2) Click on the Run menu option.
3) In the Open: field type the following: sysdm.cpl and then click on the OK button.
4) A screen will appear showing information about your installation.
Under the System: category you should see your Windows version and the installed Service Pack.

Once the Microsoft file has finished downloading, close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. This is shown in the following image:
Posted Image
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

#5 mythdragon

mythdragon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 13 April 2008 - 07:44 PM

I downloaded from the page you gave me, though it said it was boot floppies, and nothing about recovery console.

anyway here's the log
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons



should I delete the card.dll file or just wait for further guidence?
Also, do donations go directly to you, or the site?
Thanks again.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 15 April 2008 - 11:37 AM

Hi, sorry about the delay in getting back to you..

Thanks for uploading the file. I've unpacked it and taken a look, and I'm pretty sure it's a baddie. It has links inside to a Chinese "deals and coupons" site, and a scan at AVG security suites returned the following result:
AVG --- 7.5.0.516 2008.04.15 Downloader.Delf.12.AN

Let's go ahead and delete the file, and hopefully the problem will stop..

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\WINDOWS\system32\card.dll

Allow the PC to reboot, if it doesn't do it automatically, please reboot manually.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {93FF9045-A439-4D52-A414-56B4CE5B3A2F} - C:\WINDOWS\system32\card.dll
O2 - BHO: (no name) - {AD50CDEC-1E12-479A-B36D-FFCCE6E01006} - C:\WINDOWS\system32\card.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Oh and on a side note, donations are not accepted by the site, so everything goes direct to us helpers.
Please complete the above and post the logs, also let me know if the popups stop! :thumbsup:

#7 mythdragon

mythdragon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 15 April 2008 - 08:14 PM

Thanks Dave, so far, it's looking like it worked.
I no longer get an initial popup to adnet.server.com,
and my searchers are no longer hijacked.

Here are the logs you requested:
Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:17 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203569095453
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4845 bytes
virus scan
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 15, 2008 9:10:25 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/04/2008
Kaspersky Anti-Virus database records: 708265
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: false

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 27823
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 00:25:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DF61D5.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ryan\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP69\A0024787.exe Infected: Trojan-Downloader.Win32.Delf.ezu skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP69\A0024789.exe Infected: Trojan-Downloader.Win32.Delf.ezu skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP78\A0028503.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.j skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP78\A0028504.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.k skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP78\A0028505.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.l skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP78\A0028507.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.j skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP78\A0028508.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.k skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP78\A0028509.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.l skipped
C:\System Volume Information\_restore{B7B6736C-D5FC-4B88-8EE3-DB9FEE0A6221}\RP83\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DESKTOP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT0470e.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-00000006-00001102-00000004-20021102}.CDF Object is locked skipped

Scan process completed.


It looks like a few viruses where found in restore points.
Your thoughts?

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 16 April 2008 - 08:48 AM

Great work, just a couple things left to do now.. :thumbsup:

Please fix this entry with Hijackthis, in the same way you've fixed entries before..
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Please reboot a final time and let me know how the PC is running.
I see a clean Hijackthis log now!

#9 mythdragon

mythdragon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 19 April 2008 - 12:21 AM

well it looks like that did it. You have no idea how much I appreciate your help. This one had me stumped.
Isn't this crap illegal? I was being hijacked to some big name 'partner' sites like ebay. How do they get away with sending you trojans you can't get rid of?

Anyway, thanks.
I sent you a donation, so get yourself some nice American lager, or at least a pint of Guinness. As long as you dont drink any of that warm British beer with my donation. :thumbsup:

Cheers, mate. And thanks again.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 19 April 2008 - 04:12 AM

Glad I could help!
The latest log is looking clean!

Thanks a lot for the much appreciated donation, a Guinness it is! :thumbsup:

This stuff is very much illegal, but there isn't really anything officials can do to stop it - firstly it's very difficult to track a hacker or an infector as they can use proxies and other things to hide their PCs. Secondly, this stuff occur all over the world and from country to country, so in numerous cases, for example here in England, it's very difficult to prosecute people in say Nigeria.

As for where you got the infection from, these type of infections normally come bundled with applications that you might install without checking them out first, for example audio/movie codecs that you are prompted to install from dodgy websites. Another big source of infection is P2P file sharing, where a large number of files that are available to download are simply trojan downloaders and installers etc. Finally, crack sites providing serials and keygens to "crack" open applications you need to pay for, are the worst for this. Nearly every crack site has malicious code waiting to be injected into your system.

Anyway, follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. This link has listings of stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users