Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troj_asprox.a, Maybe More


  • This topic is locked This topic is locked
3 replies to this topic

#1 MacPiper

MacPiper

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 AM

Posted 20 May 2008 - 03:24 PM

Last week my computer started tring to SPAM. NAV2006 appeared to be scanning emails, not sure if they actually went out.
NAV2006 updated and didn't find any viruses. Adaware didn't find anything unusual either. Researching my running process list, found aspimgr.exe and found way to stop process and delete it and other suspect items. Thru the research discovered by regedit.exe won't load from "run". Can't find the file in windows search either.
A day later, NAV2006 updated again and then found virus and fixed it.
Today ran SPfix and it again found aspimgr.exe and deleted it. (log file below).
I also ran HJT (log file below)
I tried to run DSS, but it won't load.

Runing Windows 2000 Professional.

Please help me recover.


SDFix: Version 1.184
Run by Randy on Tue 05/20/2008 at 10:32a

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :

Name :
aspimgr

Path :
C:\WINDOWS\system32\aspimgr.exe

aspimgr - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\s32.txt - Deleted
C:\WINDOWS\system32\cdplayer.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth

malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 11:05:00
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 27 Sep 2001 39,936 ...H. --- "C:\Program

Files\InstallShield Installation Information\guid.exe"
Sun 19 Aug 2007 56,832 A.SH. --- "C:\Program

Files\Outlook Express\MSIMN.EXE"
Tue 15 Nov 2005 78,104 ..SHR --- "C:\Program

Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Tue 15 Nov 2005 12,912 A.SHR --- "C:\Program

Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Thu 3 Jul 2003 1,206 A..HR --- "C:\Program

Files\Common Files\Symantec Shared\Registry

Backup\ccReg.reg"
Mon 20 Jan 2003 1,206 A..HR --- "C:\Program

Files\Common Files\Symantec Shared\Registry

Backup\ccReg_old.reg"
Mon 20 Jan 2003 12,368 A..HR --- "C:\Program

Files\Common Files\Symantec Shared\Registry

Backup\CommonClient_old.reg"
Thu 3 Jul 2003 12,368 A..HR --- "C:\Program

Files\Common Files\Symantec Shared\Registry

Backup\CommonClient.reg"
Tue 5 Dec 2006 279,552 ...H. --- "C:\Documents

and Settings\randy\Application

Data\Microsoft\Word\~WRL2466.tmp"
Tue 5 Dec 2006 40,960 ...H. --- "C:\Documents

and Settings\randy\Application

Data\Microsoft\Word\~WRL2596.tmp"
Tue 5 Dec 2006 46,080 ...H. --- "C:\Documents

and Settings\randy\Application

Data\Microsoft\Word\~WRL2691.tmp"
Tue 5 Dec 2006 45,056 ...H. --- "C:\Documents

and Settings\randy\Application

Data\Microsoft\Word\~WRL4008.tmp"
Thu 19 Apr 2007 179,712 ...H. --- "C:\Documents

and Settings\randy\My Documents-RANDY\National power

biz\QUOTES\Misc Customers\Time Warner\~WRL1769.tmp"

Finished!



HJT 1st log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:38 PM, on 5/20/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Documents and Settings\randy\Desktop\dss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\Randy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.natpow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow.com/(3tu3gvvzbf0jyc45z.../ShowSetup5.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwcc.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {42D5A794-9AD1-4409-950B-C8B9EB1282B0} (TiffPrint Class) - http://www.rdfs.com/contentexplorer/covi/VipTiffPrint.dll
O16 - DPF: {4571C6A3-CB9E-11D0-BDE2-0000F4B02CED} (Cincom Rich Client) - http://configurator.apcc.com/products/powe...s/attarxinf.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01a884c88a783d...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192538681686
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www42.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {90144009-ADA3-4615-BFFC-D38A5D8E60AD} (VipPrtEm Control) - http://www.rdfs.com/contentexplorer/covi/VipPrtEm.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp...23/cpbrkpie.cab
O16 - DPF: {AA5EB1A7-E492-4F88-9989-0AB26B52F4A6} (RZHelper Class) - http://portal.relizon.com/wlcs/controls/RZOFFICE.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attewc.webex.com/client/v_mywebex-p...ent/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 9309 bytes

HJT Startup List log:
StartupList report, 5/20/2008, 4:24:10 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SDFix = C:\SDFix\RunThis.bat /second

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - c:\program files\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - (no file) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - Randy.job

--------------------------------------------------

Enumerating Download Program Files:

[symsupportutil]
CODEBASE = https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
OSD = C:\WINDOWS\Downloaded Program Files\OSD34.OSD

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813

[PlxInstall Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PlaxoInstall.dll
CODEBASE = http://down.plaxo.com/down/release/PlaxoInstall.cab

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PCPITS~1.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab

[ShowSetupObj5 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ShowSetup.dll
CODEBASE = http://invite.mshow.com/(3tu3gvvzbf0jyc45z.../ShowSetup5.cab

[HPSDDX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sdd.dll
CODEBASE = http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

[MeadCo ScriptX]
InProcServer32 = C:\WINDOWS\System32\MCScripX.dll
CODEBASE = http://www.isqft.com/Applets/ScriptX/ScriptX.cab
OSD = C:\WINDOWS\Downloaded Program Files\ScriptX.osd

[LSSupCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll
CODEBASE = https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab

[ChainCast VMR Client Proxy]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ccpm_0237.dll
CODEBASE = http://64.124.45.181/downloads/ccpm_0237.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

[Quicksilver Class]
CODEBASE = http://scpwcc.ops.placeware.com/etc/place/...quicksilver.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[TiffPrint Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\VipTiffPrint.dll
CODEBASE = http://www.rdfs.com/contentexplorer/covi/VipTiffPrint.dll

[Cincom Rich Client]
InProcServer32 = C:\DOCUME~1\randy\ISXDES~1\attarx.ocx
CODEBASE = http://configurator.apcc.com/products/powe...s/attarxinf.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/5/c.../WebCleaner.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\system32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.real.com/01a884c88a783d...ip/RdxIE601.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microsoftu...b?1192538681686

[DiskHealth Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\diskhealth.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/diskhealth.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

[Installer Class]
CODEBASE = https://www42.wirelesssync.vzw.com/en/SyncInstall.cab

[VipPrtEm Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\VipPrtEm.ocx
CODEBASE = http://www.rdfs.com/contentexplorer/covi/VipPrtEm.ocx

[cpbrkpie Control]
InProcServer32 = C:\WINDOWS\cpbrkpie.ocx
CODEBASE = http://a19.g.akamai.net/7/19/7125/4019/ftp...23/cpbrkpie.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...B?37629.3178125

[RZHelper Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rzoffice.ocx
CODEBASE = http://portal.relizon.com/wlcs/controls/RZOFFICE.CAB

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc4.cab

[ActiveDataInfo Class]
InProcServer32 = C:\PROGRA~1\COMMON~1\SYMANT~1\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[GpcContainer Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ieatgpc.dll
CODEBASE = https://attewc.webex.com/client/v_mywebex-p...ent/ieatgpc.cab

[{E77C0D62-882A-456F-AD8F-7C6C9569B8C7}]
CODEBASE = https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

[Live Collaboration]
InProcServer32 = C:\WINDOWS\DOWNLO~1\RntX.dll
CODEBASE = https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll||C:\Config.Msi\c96471.rbf||C:\Config.Msi\c96480.rbf||C:\Config.Msi\c96482.rbf||C:\Config.Msi\c96486.rbf||C:\Config.Msi\c96487.rbf||C:\Config.Msi\c96488.rbf||C:\Config.Msi\c9648c.rbf|||.

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINDOWS\system32\NETSHELL.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 11,064 bytes
Report generated in 0.351 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 MacPiper

MacPiper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 AM

Posted 21 May 2008 - 08:14 AM

Here is a log from KAP Scan Report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 21, 2008 7:48:52 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788626
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51512
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 11:25:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\randy\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\randy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\randy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\randy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\randy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\randy\Local Settings\Temp\IMG25B.tmp Object is locked skipped
C:\Documents and Settings\randy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\randy\ntuser.dat Object is locked skipped
C:\Documents and Settings\randy\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0674NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0999NAV~.TMP Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010007.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\WINDOWS\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\WINDOWS\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\WINDOWS\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\WINDOWS\All Users\Application Data\Symantec\LiveUpdate\2008-05-21_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\WINDOWS\cpbrkpie.ocx Infected: not-a-virus:AdWare.Win32.Coupons skipped
C:\WINDOWS\Debug\ipsecpa.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.crmlog Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM.ALT Object is locked skipped
C:\WINDOWS\SYSTEM32\DTCLog\MSDTC.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\CIM.REP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Any one help me?

#3 Sp0nge

Sp0nge

  • Members
  • 643 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:05:35 AM

Posted 17 June 2008 - 02:43 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Deckard's System Scanner (DSS)

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


Kaspersky Webscanner

Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Thanks

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:35 AM

Posted 24 June 2008 - 08:42 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users