Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Et. Al. Cannot Boot Into Safe Mode.


  • Please log in to reply
11 replies to this topic

#1 Nancy V

Nancy V

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 23 April 2008 - 08:42 PM

Edit Referred here from Am I Infected forum. Topic here: http://www.bleepingcomputer.com/forums/t/142538/antispywaremaster-need-help-removing/ ~ OB

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:50 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9DFA498A-033E-43E5-B542-0F3B868AC140} - C:\WINDOWS\system32\comsnape.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207583759842
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://rdesk.tekmarkinc.com/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5033 bytes

Edited by Orange Blossom, 23 April 2008 - 08:48 PM.
Provided more appropriate title and added link from Infected forum where started. ~ OB


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:28 PM

Posted 24 April 2008 - 11:51 AM

Hello again :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Nancy V

Nancy V
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 24 April 2008 - 06:02 PM

Hi Teacup! Thank you so much for helping me again! I hope you can figure out all the horrible stuff that's plagueing this poor innocent computer : )

Nancy


ComboFix 08-04-22.5 - nj 2008-04-24 18:43:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.83 [GMT -4:00]
Running from: C:\Documents and Settings\nj\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-22 19:08 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-22 19:08 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-22 19:08 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-22 19:08 . 2008-04-21 10:01 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-22 19:08 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-22 19:08 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-22 19:08 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-21 23:11 . 2008-04-21 23:19 <DIR> d-------- C:\fixwareout
2008-04-21 20:08 . 2008-04-22 19:25 2,390 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 23:50 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-19 23:50 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-19 23:50 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-19 23:44 . 2008-04-19 23:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-19 09:22 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-19 09:19 . 2006-12-26 09:07 536,576 -----c--- C:\WINDOWS\system32\dllcache\msado15.dll
2008-04-19 09:19 . 2006-12-26 09:07 200,704 -----c--- C:\WINDOWS\system32\dllcache\msadox.dll
2008-04-19 09:19 . 2006-12-26 09:07 180,224 -----c--- C:\WINDOWS\system32\dllcache\msadomd.dll
2008-04-19 09:19 . 2006-12-26 09:07 102,400 -----c--- C:\WINDOWS\system32\dllcache\msjro.dll
2008-04-18 23:22 . 2006-10-13 06:23 163,584 -----c--- C:\WINDOWS\system32\dllcache\nwrdr.sys
2008-04-18 23:22 . 2006-10-13 08:35 142,336 -----c--- C:\WINDOWS\system32\dllcache\nwprovau.dll
2008-04-18 23:22 . 2006-10-13 08:35 65,536 -----c--- C:\WINDOWS\system32\dllcache\nwwks.dll
2008-04-18 23:12 . 2007-06-26 02:08 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-04-18 23:09 . 2008-03-19 05:47 1,845,248 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-04-18 23:09 . 2007-03-08 11:36 577,536 -----c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-04-18 23:09 . 2006-06-14 04:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-18 23:09 . 2006-05-19 08:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-04-18 23:09 . 2006-05-19 08:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-04-18 23:09 . 2006-06-14 05:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-18 23:09 . 2007-03-08 11:36 40,960 -----c--- C:\WINDOWS\system32\dllcache\mf3216.dll
2008-04-18 23:09 . 2006-06-14 04:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-18 23:08 . 2007-10-29 18:43 1,287,680 -----c--- C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-18 23:06 . 2007-12-18 10:40 450,560 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll
2008-04-18 23:06 . 2007-12-18 10:40 417,792 -----c--- C:\WINDOWS\system32\dllcache\vbscript.dll
2008-04-18 22:43 . 2008-04-18 22:43 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Malwarebytes
2008-04-18 22:42 . 2008-04-18 22:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-18 22:42 . 2008-04-18 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-18 22:41 . 2008-04-18 22:41 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-18 22:17 . 2008-04-18 22:17 <DIR> d-------- C:\VundoFix Backups
2008-04-18 20:42 . 2008-04-24 11:17 1,998,880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-18 20:42 . 2008-04-24 11:17 23,996 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-18 20:39 . 2008-04-18 20:39 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-04-18 20:38 . 2008-04-18 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-18 20:37 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-18 20:37 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-18 20:37 . 2008-04-18 20:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-18 20:36 . 2008-04-18 20:37 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-18 20:36 . 2008-04-18 20:36 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-18 20:36 . 2008-04-02 21:07 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-18 20:36 . 2008-04-24 17:17 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-18 20:35 . 2008-04-24 18:40 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-18 20:10 . 2008-02-20 02:51 282,624 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2008-04-18 20:06 . 2008-02-20 01:32 45,568 -----c--- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-04-18 19:55 . 2008-04-18 19:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 19:02 . 2008-04-18 22:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-18 19:02 . 2008-04-18 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-18 18:51 . 2007-02-28 05:10 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-04-18 18:51 . 2007-02-28 05:08 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-04-18 18:51 . 2007-02-28 04:38 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-04-18 18:51 . 2007-02-28 04:38 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-04-18 18:50 . 2006-06-22 01:06 1,435,648 -----c--- C:\WINDOWS\system32\dllcache\query.dll
2008-04-18 18:50 . 2007-06-13 06:23 1,033,216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2008-04-18 18:50 . 2006-11-27 10:54 539,136 -----c--- C:\WINDOWS\system32\dllcache\msftedit.dll
2008-04-18 18:50 . 2006-11-27 10:54 433,152 -----c--- C:\WINDOWS\system32\dllcache\riched20.dll
2008-04-18 18:50 . 2006-08-17 08:28 332,288 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-04-18 18:50 . 2007-03-17 09:43 292,864 -----c--- C:\WINDOWS\system32\dllcache\winsrv.dll
2008-04-18 18:50 . 2007-04-25 10:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2008-04-18 18:50 . 2006-08-17 08:28 132,096 -----c--- C:\WINDOWS\system32\dllcache\wkssvc.dll
2008-04-18 18:50 . 2006-06-22 01:06 69,120 -----c--- C:\WINDOWS\system32\dllcache\ciodm.dll
2008-04-18 18:50 . 2006-03-16 20:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-04-18 18:47 . 2007-04-16 11:52 984,576 -----c--- C:\WINDOWS\system32\dllcache\kernel32.dll
2008-04-18 18:47 . 2006-05-05 05:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-04-18 18:47 . 2006-05-05 05:47 174,592 -----c--- C:\WINDOWS\system32\dllcache\rdbss.sys
2008-04-18 18:44 . 2008-04-20 00:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-18 18:19 . 2008-04-18 18:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 17:55 . 2008-04-18 17:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-18 17:55 . 2008-04-18 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 17:54 . 2008-04-18 17:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-16 18:34 . 2001-08-23 08:00 88,064 --a------ C:\WINDOWS\system32\comsnape.dll
2008-04-14 22:59 . 2008-04-14 23:00 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-14 22:58 . 2008-04-14 22:58 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-14 19:20 . 2008-04-14 19:20 0 --a------ C:\WINDOWS\vpc32.INI
2008-04-13 11:59 . 2008-04-13 11:59 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 11:59 . 2008-04-13 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-13 11:58 . 2008-04-13 11:59 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-04-13 11:56 . 2008-04-13 11:56 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Jasc Software Inc
2008-04-13 11:55 . 2008-04-13 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-13 11:54 . 2008-04-13 11:56 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-04-13 11:54 . 2008-04-13 11:54 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-04-13 11:54 . 2008-04-13 11:59 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-13 11:53 . 2008-04-13 12:00 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 964
2008-04-13 11:53 . 2008-04-13 12:00 12,389 --a------ C:\WINDOWS\system32\LexFiles.ulf
2008-04-13 11:52 . 2008-04-21 22:31 <DIR> d-------- C:\Program Files\Dl_cats
2008-04-13 11:52 . 2005-07-22 11:54 40,960 -ra------ C:\WINDOWS\system32\dlcjvs.dll
2008-04-13 11:51 . 2005-06-01 12:53 69,632 -ra------ C:\WINDOWS\system32\dlcjcfg.dll
2008-04-13 11:51 . 2005-08-25 14:15 1,448 -ra------ C:\WINDOWS\system32\dlcj.loc
2008-04-12 19:35 . 2008-04-12 19:35 <DIR> d-------- C:\Program Files\MFInstall
2008-04-12 12:15 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-12 12:15 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-12 12:15 . 2004-08-04 02:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-10 18:13 . 2008-04-20 10:06 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-09 21:14 . 2008-04-09 21:14 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Snapfish
2008-04-08 22:22 . 2008-04-19 13:37 <DIR> d-------- C:\Program Files\Google
2008-04-08 19:58 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-08 19:58 . 2004-08-04 02:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-08 19:58 . 2004-08-04 03:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-08 19:58 . 2004-08-04 03:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-07 14:01 . 2008-04-07 14:01 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Simple Star
2008-04-07 14:01 . 2004-11-17 17:24 421,888 --a------ C:\WINDOWS\Nero PhotoShow.scr
2008-04-07 13:59 . 2008-04-07 14:01 <DIR> d-------- C:\Program Files\Nero
2008-04-07 13:59 . 2008-04-10 18:13 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Ahead
2008-04-07 13:59 . 2004-05-14 11:12 1,916,928 --------- C:\WINDOWS\UNNVEContent.exe
2008-04-07 13:59 . 2004-11-30 13:14 67,990 --------- C:\WINDOWS\UNNVEContent.cfg
2008-04-07 13:58 . 2004-05-14 11:12 1,916,928 --------- C:\WINDOWS\UNAheadManual.exe
2008-04-07 13:58 . 2004-05-06 05:06 33,193 --------- C:\WINDOWS\UNAheadManual.cfg
2008-04-07 13:57 . 2008-04-07 13:57 <DIR> d-------- C:\WINDOWS\InCD
2008-04-07 13:57 . 2005-12-09 10:02 3,051,520 --------- C:\WINDOWS\UNNMP.exe
2008-04-07 13:57 . 2006-01-12 08:51 3,051,520 --------- C:\WINDOWS\UNMRW.exe
2008-04-07 13:57 . 2006-01-17 11:09 102,016 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2008-04-07 13:57 . 2006-04-13 11:26 55,770 --------- C:\WINDOWS\UNMRW.cfg
2008-04-07 13:57 . 2006-04-13 11:26 46,251 --------- C:\WINDOWS\UNNMP.cfg
2008-04-07 13:57 . 2006-01-17 05:09 32,640 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2008-04-07 13:57 . 2006-01-17 11:09 29,440 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2008-04-07 13:57 . 2006-01-16 18:41 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2008-04-07 13:54 . 2006-01-12 16:40 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-07 13:54 . 2008-04-07 13:57 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 14:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DFA498A-033E-43E5-B542-0F3B868AC140}]
2001-08-23 08:00 88064 --a------ C:\WINDOWS\system32\comsnape.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-04-18 20:39 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-18 20:39 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-18 20:39 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 20:28 212992]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 13:40 73728]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 16:47 430080]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 10:12 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 01:29]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 08:48]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 18:49:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCJCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-24 18:52:44
ComboFix-quarantined-files.txt 2008-04-24 22:52:20

Pre-Run: 13,942,194,176 bytes free
Post-Run: 13,927,563,264 bytes free

198 --- E O F --- 2008-04-20 04:12:19

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:28 PM

Posted 24 April 2008 - 06:44 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DFA498A-033E-43E5-B542-0F3B868AC140}]

File::
C:\WINDOWS\system32\comsnape.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Nancy V

Nancy V
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 24 April 2008 - 08:18 PM

As per your request, Combofix then new HJT

ComboFix 08-04-22.5 - nj 2008-04-24 20:57:56.3 - NTFSx86
Running from: C:\Documents and Settings\nj\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-22 19:08 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-22 19:08 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-22 19:08 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-22 19:08 . 2008-04-21 10:01 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-22 19:08 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-22 19:08 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-22 19:08 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-21 23:11 . 2008-04-21 23:19 <DIR> d-------- C:\fixwareout
2008-04-21 20:08 . 2008-04-22 19:25 2,390 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 23:50 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-19 23:50 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-19 23:50 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-19 23:44 . 2008-04-19 23:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-19 09:22 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-19 09:19 . 2006-12-26 09:07 536,576 -----c--- C:\WINDOWS\system32\dllcache\msado15.dll
2008-04-19 09:19 . 2006-12-26 09:07 200,704 -----c--- C:\WINDOWS\system32\dllcache\msadox.dll
2008-04-19 09:19 . 2006-12-26 09:07 180,224 -----c--- C:\WINDOWS\system32\dllcache\msadomd.dll
2008-04-19 09:19 . 2006-12-26 09:07 102,400 -----c--- C:\WINDOWS\system32\dllcache\msjro.dll
2008-04-18 23:22 . 2006-10-13 06:23 163,584 -----c--- C:\WINDOWS\system32\dllcache\nwrdr.sys
2008-04-18 23:22 . 2006-10-13 08:35 142,336 -----c--- C:\WINDOWS\system32\dllcache\nwprovau.dll
2008-04-18 23:22 . 2006-10-13 08:35 65,536 -----c--- C:\WINDOWS\system32\dllcache\nwwks.dll
2008-04-18 23:12 . 2007-06-26 02:08 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-04-18 23:09 . 2008-03-19 05:47 1,845,248 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-04-18 23:09 . 2007-03-08 11:36 577,536 -----c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-04-18 23:09 . 2006-06-14 04:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-18 23:09 . 2006-05-19 08:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-04-18 23:09 . 2006-05-19 08:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-04-18 23:09 . 2006-06-14 05:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-18 23:09 . 2007-03-08 11:36 40,960 -----c--- C:\WINDOWS\system32\dllcache\mf3216.dll
2008-04-18 23:09 . 2006-06-14 04:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-18 23:08 . 2007-10-29 18:43 1,287,680 -----c--- C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-18 23:06 . 2007-12-18 10:40 450,560 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll
2008-04-18 23:06 . 2007-12-18 10:40 417,792 -----c--- C:\WINDOWS\system32\dllcache\vbscript.dll
2008-04-18 22:43 . 2008-04-18 22:43 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Malwarebytes
2008-04-18 22:42 . 2008-04-18 22:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-18 22:42 . 2008-04-18 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-18 22:41 . 2008-04-18 22:41 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-18 22:17 . 2008-04-18 22:17 <DIR> d-------- C:\VundoFix Backups
2008-04-18 20:42 . 2008-04-24 20:47 2,072,608 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-18 20:42 . 2008-04-24 20:47 25,052 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-18 20:39 . 2008-04-18 20:39 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-04-18 20:38 . 2008-04-18 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-18 20:37 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-18 20:37 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-18 20:37 . 2008-04-18 20:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-18 20:36 . 2008-04-18 20:37 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-18 20:36 . 2008-04-18 20:36 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-18 20:36 . 2008-04-02 21:07 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-18 20:36 . 2008-04-24 20:48 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-18 20:35 . 2008-04-24 20:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-18 20:10 . 2008-02-20 02:51 282,624 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2008-04-18 20:06 . 2008-02-20 01:32 45,568 -----c--- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-04-18 19:55 . 2008-04-18 19:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 19:02 . 2008-04-18 22:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-18 19:02 . 2008-04-18 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-18 18:51 . 2007-02-28 05:10 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-04-18 18:51 . 2007-02-28 05:08 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-04-18 18:51 . 2007-02-28 04:38 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-04-18 18:51 . 2007-02-28 04:38 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-04-18 18:50 . 2006-06-22 01:06 1,435,648 -----c--- C:\WINDOWS\system32\dllcache\query.dll
2008-04-18 18:50 . 2007-06-13 06:23 1,033,216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2008-04-18 18:50 . 2006-11-27 10:54 539,136 -----c--- C:\WINDOWS\system32\dllcache\msftedit.dll
2008-04-18 18:50 . 2006-11-27 10:54 433,152 -----c--- C:\WINDOWS\system32\dllcache\riched20.dll
2008-04-18 18:50 . 2006-08-17 08:28 332,288 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-04-18 18:50 . 2007-03-17 09:43 292,864 -----c--- C:\WINDOWS\system32\dllcache\winsrv.dll
2008-04-18 18:50 . 2007-04-25 10:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2008-04-18 18:50 . 2006-08-17 08:28 132,096 -----c--- C:\WINDOWS\system32\dllcache\wkssvc.dll
2008-04-18 18:50 . 2006-06-22 01:06 69,120 -----c--- C:\WINDOWS\system32\dllcache\ciodm.dll
2008-04-18 18:50 . 2006-03-16 20:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-04-18 18:47 . 2007-04-16 11:52 984,576 -----c--- C:\WINDOWS\system32\dllcache\kernel32.dll
2008-04-18 18:47 . 2006-05-05 05:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-04-18 18:47 . 2006-05-05 05:47 174,592 -----c--- C:\WINDOWS\system32\dllcache\rdbss.sys
2008-04-18 18:44 . 2008-04-20 00:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-18 18:19 . 2008-04-18 18:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 17:55 . 2008-04-18 17:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-18 17:55 . 2008-04-18 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 17:54 . 2008-04-18 17:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 22:59 . 2008-04-14 23:00 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-14 22:58 . 2008-04-14 22:58 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-14 19:20 . 2008-04-14 19:20 0 --a------ C:\WINDOWS\vpc32.INI
2008-04-13 11:59 . 2008-04-13 11:59 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 11:59 . 2008-04-13 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-13 11:58 . 2008-04-13 11:59 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-04-13 11:56 . 2008-04-13 11:56 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Jasc Software Inc
2008-04-13 11:55 . 2008-04-13 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-13 11:54 . 2008-04-13 11:56 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-04-13 11:54 . 2008-04-13 11:54 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-04-13 11:54 . 2008-04-13 11:59 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-13 11:53 . 2008-04-13 12:00 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 964
2008-04-13 11:53 . 2008-04-13 12:00 12,389 --a------ C:\WINDOWS\system32\LexFiles.ulf
2008-04-13 11:52 . 2008-04-21 22:31 <DIR> d-------- C:\Program Files\Dl_cats
2008-04-13 11:52 . 2005-07-22 11:54 40,960 -ra------ C:\WINDOWS\system32\dlcjvs.dll
2008-04-13 11:51 . 2005-06-01 12:53 69,632 -ra------ C:\WINDOWS\system32\dlcjcfg.dll
2008-04-13 11:51 . 2005-08-25 14:15 1,448 -ra------ C:\WINDOWS\system32\dlcj.loc
2008-04-12 19:35 . 2008-04-12 19:35 <DIR> d-------- C:\Program Files\MFInstall
2008-04-12 12:15 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-12 12:15 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-12 12:15 . 2004-08-04 02:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-10 18:13 . 2008-04-20 10:06 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-09 21:14 . 2008-04-09 21:14 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Snapfish
2008-04-08 22:22 . 2008-04-19 13:37 <DIR> d-------- C:\Program Files\Google
2008-04-08 19:58 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-08 19:58 . 2004-08-04 02:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-08 19:58 . 2004-08-04 03:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-08 19:58 . 2004-08-04 03:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-07 14:01 . 2008-04-07 14:01 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Simple Star
2008-04-07 14:01 . 2004-11-17 17:24 421,888 --a------ C:\WINDOWS\Nero PhotoShow.scr
2008-04-07 13:59 . 2008-04-07 14:01 <DIR> d-------- C:\Program Files\Nero
2008-04-07 13:59 . 2008-04-10 18:13 <DIR> d-------- C:\Documents and Settings\nj\Application Data\Ahead
2008-04-07 13:59 . 2004-05-14 11:12 1,916,928 --------- C:\WINDOWS\UNNVEContent.exe
2008-04-07 13:59 . 2004-11-30 13:14 67,990 --------- C:\WINDOWS\UNNVEContent.cfg
2008-04-07 13:58 . 2004-05-14 11:12 1,916,928 --------- C:\WINDOWS\UNAheadManual.exe
2008-04-07 13:58 . 2004-05-06 05:06 33,193 --------- C:\WINDOWS\UNAheadManual.cfg
2008-04-07 13:57 . 2008-04-07 13:57 <DIR> d-------- C:\WINDOWS\InCD
2008-04-07 13:57 . 2005-12-09 10:02 3,051,520 --------- C:\WINDOWS\UNNMP.exe
2008-04-07 13:57 . 2006-01-12 08:51 3,051,520 --------- C:\WINDOWS\UNMRW.exe
2008-04-07 13:57 . 2006-01-17 11:09 102,016 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2008-04-07 13:57 . 2006-04-13 11:26 55,770 --------- C:\WINDOWS\UNMRW.cfg
2008-04-07 13:57 . 2006-04-13 11:26 46,251 --------- C:\WINDOWS\UNNMP.cfg
2008-04-07 13:57 . 2006-01-17 05:09 32,640 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2008-04-07 13:57 . 2006-01-17 11:09 29,440 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2008-04-07 13:57 . 2006-01-16 18:41 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2008-04-07 13:54 . 2006-01-12 16:40 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-07 13:54 . 2008-04-07 13:57 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-04-07 13:53 . 2008-04-07 13:53 <DIR> d-------- C:\Program Files\Common Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 14:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_18.51.27.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 21:17:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 00:48:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-04-18 20:39 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-18 20:39 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-18 20:39 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 20:28 212992]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 13:40 73728]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 16:47 430080]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 10:12 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 01:29]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 08:48]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 21:05:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCJCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-24 21:08:18
ComboFix-quarantined-files.txt 2008-04-25 01:07:53
ComboFix2.txt 2008-04-25 00:44:16
ComboFix3.txt 2008-04-24 22:52:47

Pre-Run: 13,893,627,904 bytes free
Post-Run: 13,882,761,216 bytes free

200 --- E O F --- 2008-04-20 04:12:19



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:43 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207583759842
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://rdesk.tekmarkinc.com/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5317 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:28 PM

Posted 24 April 2008 - 09:20 PM

Hello,

Thank you for that. :thumbsup: How is it running? Any different?

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Nancy V

Nancy V
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 25 April 2008 - 10:21 AM

Heck yeah, there's a change. You rock. I did a search for Victoria's Secret, clicked on the official web page and it brought me to the site instead of a ad site!

I'll do the above and post back!

#8 Nancy V

Nancy V
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 25 April 2008 - 11:03 AM

Here you go. It didn't find anything during the scan.


04/25/08 11:24:50 [Info]: BlackLight Engine 1.0.70 initialized
04/25/08 11:24:50 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/25/08 11:24:50 [Note]: 7019 4
04/25/08 11:24:50 [Note]: 7005 0
04/25/08 11:24:59 [Note]: 7006 0
04/25/08 11:24:59 [Note]: 7022 0
04/25/08 11:25:00 [Note]: 7011 1296
04/25/08 11:25:00 [Note]: 7035 0
04/25/08 11:25:00 [Note]: 7026 0
04/25/08 11:25:00 [Note]: 7026 0
04/25/08 11:25:11 [Note]: FSRAW library version 1.7.1024
04/25/08 11:56:41 [Note]: 7007 0

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:28 PM

Posted 25 April 2008 - 11:26 AM

Excellent....so your original problems are gone then? Your last log looks good, but it isn't a tell all and I want to be sure. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Nancy V

Nancy V
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 25 April 2008 - 03:32 PM

Evil Antispywaremaster is gone and browser hijacking is gone and it's not taking a year and a day to connect online. So I think I'm good :thumbsup:

Here is what I have on my computer for protection - is it enough?

Zone Alarm
Norton AntiVirus
AdAware
Window's Firewall

Should I delete these?
HJT
Combofix
Smitfraudfix
Malwarebytes

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:28 PM

Posted 25 April 2008 - 11:51 PM

Hi there,

Excellent. :thumbsup:

Yes, you can delete the tools we used to get the system clean, and be sure to delete the folder that ComboFix created, C:\Qoobox.

I'll tell you what I tell everyone as far as prevention goes. :blink:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care! Posted Image
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Nancy V

Nancy V
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 26 April 2008 - 08:22 PM

Hi Teacup,

I did as you suggested. Thank you again for your expert help, I truly appreciate it...and so does my new computer.

Nancy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users