Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.dll Ident By Spybot, Help Remove Please


  • This topic is locked This topic is locked
10 replies to this topic

#1 elleren

elleren

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:vermont
  • Local time:04:55 AM

Posted 23 May 2008 - 05:03 PM

I have run spybot s&d on this system and it removed a load of stuff but failed to remove virtumonde. Then attempted to find info online and came up with this site. Thanks in advance
Joe

Deckard's System Scanner v20071014.68
Run by jlucia on 2008-05-23 17:33:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jlucia.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:56 PM, on 5/23/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\system32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\ICA Client\ssonsvr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\dss\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jlucia.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18F4FBD5-CDE8-492C-9365-1912378EECFE} - C:\WINNT\system32\fccaBTjk.dll
O2 - BHO: 566828 helper - {220A105A-16EE-44C1-A4C8-AD76C709FC1D} - C:\WINNT\system32\566828\566828.dll
O2 - BHO: QXK Rhythm - {831C798D-F9AD-4659-8625-63F2A439F439} - C:\WINNT\nldfmtappek.dll
O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
O2 - BHO: (no name) - {C8E324F9-0EBD-4B86-A225-8ADF7E2FE1F5} - C:\WINNT\system32\cbXRIcCU.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: gktxaspm - {C9A66198-D585-4160-A963-A889176926B0} - C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp\ac8zt2\gktxaspm.dll (file missing)
O3 - Toolbar: gktxaspm - {6E90A503-DDFD-4CC5-9628-0391A05E7212} - C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp\ac8zt2\gktxaspm.dll (file missing)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: fccaBTjk - C:\WINNT\SYSTEM32\fccaBTjk.dll
O21 - SSODL: AlrtUnknown - {06d676ce-f0fd-45bc-97e7-24b3e360ba88} - C:\WINNT\Resources\AlrtUnknown.dll
O21 - SSODL: gnowmebk - {B3420D69-1459-4D4C-89C9-2A053542D43D} - C:\WINNT\gnowmebk.dll
O21 - SSODL: pxgdslro - {59F118D3-C933-4F9A-8DAC-95B5BC574C69} - C:\WINNT\pxgdslro.dll (file missing)
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
O21 - SSODL: PreBootCheck - {a67389bd-eaf9-469b-aaba-aac10ecfd31a} - C:\WINNT\Resources\CDCheck.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 4990 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ClntMgmt.sys (ClntMgmt) - c:\winnt\system32\drivers\clntmgmt.sys <Not Verified; Compaq Computer Corp; Compaq Client Management Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\winnt\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 cpqdfw (Diagnostics Driver) - c:\winnt\system32\drivers\cpqdfw.sys
R2 cpqdiag (Compaq Diagnostics Driver) - c:\winnt\system32\drivers\cpqdiag.sys <Not Verified; Compuware Corporation; DriverWorks>
R2 cq_mem (Diagnostics Memory Driver) - c:\winnt\system32\drivers\cq_mem.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 cqcpu (Diagnostics CPU Driver) - c:\winnt\system32\drivers\cqcpu.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R3 AWINDIS5 (AWINDIS5 Protocol Driver) - c:\winnt\system32\awindis5.sys <Not Verified; AMBIT Microsystems Corporation.; AMBIT WinDis32 Protocol Driver for Windows>
R3 NMSCFG (NIC Management Service Configuration Driver) - c:\winnt\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>

S3 catchme - c:\docume~1\jlucia~1.lab\locals~1\temp\catchme.sys (file missing)
S3 XI800 (Z-Com Wireless LAN Driver) - c:\winnt\system32\drivers\xi800nds.sys <Not Verified; Z-Com, Inc.; LANEscape/XI-800>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Hibernation - c:\progra~1\compaq\compaq~2\hibserv.exe <Not Verified; ; HIBSERV Service>
R2 NMSSvc (Intel® NMS) - c:\winnt\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 17:31:54 0 d-------- C:\dss
2008-05-23 17:28:04 5178 --a------ C:\Program Files\tmp1782633.exe
2008-05-23 17:27:58 5178 --a------ C:\Program Files\tmp1777465.exe
2008-05-23 17:23:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:23:39 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-23 17:09:12 0 d-------- C:\hjt
2008-05-23 17:06:26 0 d-------- C:\Program Files\IE Extensions
2008-05-23 17:05:44 0 d-------- C:\Program Files\iSecurity
2008-05-23 17:05:43 0 d-------- C:\WINNT\system32\566828
2008-05-20 21:35:30 0 d-------- C:\Program Files\Trend Micro
2008-05-19 19:52:08 0 d-------- C:\WINNT\ERUNT
2008-05-19 19:50:28 0 d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\U3
2008-05-19 18:28:53 91264 --a------ C:\WINNT\system32\tsuqsjmd.dll
2008-05-19 18:26:13 217088 --a------ C:\WINNT\nldfmtapxqm.dll
2008-05-19 18:26:12 94208 --a------ C:\WINNT\ednb.exe
2008-05-18 23:42:34 0 d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\TmpRecentIcons
2008-05-18 07:42:57 0 d-------- C:\WINNT\Resources
2008-05-18 03:00:00 0 d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\TmpRecentIcons
2008-05-18 01:52:47 91264 --a------ C:\WINNT\system32\iinsvxor.dll
2008-05-18 01:52:18 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_368.dat
2008-05-18 01:52:03 24664 --ahs---- C:\WINNT\system32\UCcIRXbc.ini2
2008-05-18 01:50:07 318848 -----n--- C:\WINNT\system32\cbXRIcCU.dll
2008-05-18 01:42:26 29824 --a------ C:\WINNT\system32\fccaBTjk.dll
2008-05-18 01:40:19 245760 --a------ C:\WINNT\nldfmtappek.dll
2008-05-18 01:40:19 81920 --a------ C:\WINNT\mdtgkswr.exe
2008-05-18 01:40:19 204800 --a------ C:\WINNT\gnowmebk.dll
2008-05-18 01:40:18 139264 --a------ C:\WINNT\esta.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-22 17:01:22 1010798 ---h----- C:\WINNT\ShellIconCache
2008-05-18 09:09:06 0 d--h----- C:\Program Files\Trillian
2008-05-18 07:50:16 0 d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
05/18/08 01:42a 29824 --a------ C:\WINNT\system32\fccaBTjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{220A105A-16EE-44C1-A4C8-AD76C709FC1D}]
05/23/08 05:05p 13824 --a------ C:\WINNT\system32\566828\566828.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{831C798D-F9AD-4659-8625-63F2A439F439}]
05/17/08 05:14p 245760 --a------ C:\WINNT\nldfmtappek.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8311E8F-E459-4D22-89B4-CB9DCF10A425}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8E324F9-0EBD-4B86-A225-8ADF7E2FE1F5}]
05/18/08 01:51a 318848 --------- C:\WINNT\system32\cbXRIcCU.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/06 04:24p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/14/06 06:46p]
"AtiPTA"="Atiptaxx.exe" [07/05/01 02:53p C:\WINNT\system32\atiptaxx.exe]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [01/20/06 02:14p]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/03 02:21a]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"iSecurity applet"="iSecurity.cpl" [05/23/08 05:05p C:\WINNT\system32\iSecurity.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{18F4FBD5-CDE8-492C-9365-1912378EECFE}"= C:\WINNT\system32\fccaBTjk.dll [05/18/08 01:42a 29824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AlrtUnknown"= {06d676ce-f0fd-45bc-97e7-24b3e360ba88} - C:\WINNT\Resources\AlrtUnknown.dll [05/18/08 07:42a 14886]
"gnowmebk"= {B3420D69-1459-4D4C-89C9-2A053542D43D} - C:\WINNT\gnowmebk.dll [05/17/08 05:14p 204800]
"pxgdslro"= {59F118D3-C933-4F9A-8DAC-95B5BC574C69} - C:\WINNT\pxgdslro.dll [ ]
"iSecurity"= {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl [ ]
"PreBootCheck"= {a67389bd-eaf9-469b-aaba-aac10ecfd31a} - C:\WINNT\Resources\CDCheck.dll [05/23/08 05:06p 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaBTjk]
fccaBTjk.dll 05/18/08 01:42a 29824 C:\WINNT\system32\fccaBTjk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=iSecurity.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\cbXRIcCU

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-05-23 17:36:37 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 319.48 MiB / 117.59 MiB
Pagefile Memory (total/avail): 487.19 MiB / 247.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1959.95 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 11.24 GiB total, 7.11 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - HITACHI_DK23AA-12 - 11.24 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 11.24 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jlucia.LABOR1\Application Data
CLASSPATH=.;C:\Program Files\JavaSoft\JRE\1.3\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LUCIAJLAPT
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jlucia.LABOR1
HOMESHARE=\\labor1\stfdata
LOGONSERVER=\\LUCIAJLAPT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\JavaSoft\JRE\1.3\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp
TMP=C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp
USERDNSDOMAIN=labor1.labor.state.vt.us
USERDOMAIN=LABOR1
USERNAME=jlucia
USERPROFILE=C:\Documents and Settings\jlucia.LABOR1
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

jlucia.LABOR1 (admin)
jlucia (admin)
Administrator.DETCO
jlucia.LUCIAJLAPT (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Aspell English Dictionary-0.50-2 --> "C:\Program Files\Aspell\unins001.exe"
ATI Display Driver Utilities --> rundll32 C:\WINNT\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AtomSync --> "C:\Program Files\AtomSync\Setup.exe" -remove "AtomSync"
Birth of the Federation --> C:\WINNT\IsUninst.exe -fC:\botf\Uninst.isu
Citrix ICA Client --> C:\WINNT\ISUNINST.EXE -fc:\ICACLI~1\Uninst.isu -cc:\ICACLI~1\uninstpn.dll
Common Measures -Data Analysis and Reporting Tool --> MsiExec.exe /X{7F2F419F-1B57-4254-9A53-490B4C9BB2E6}
Compaq Battery Utility --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Compaq\Compaq Battery Utility\Uninst.isu"
Compaq Power Management --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Compaq\Compaq Power Management\DeIsL1.isu" -c"C:\Program Files\Compaq\Compaq Power Management\uninst32.dll"
Diagnostics for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1881AE03-2BD4-11D4-86BF-00508B10AA88}\Setup.exe" UNINSTALL
DirectX 8.1 Hotfix - KB839643 --> C:\WINNT\$NtUninstallKB839643-DirectX81$\spuninst\spuninst.exe
Easy CD & DVD Creator 6 --> MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}
Gaim (remove only) --> C:\Program Files\Gaim\gaim-uninst.exe
GNU Aspell 0.50-3 --> "C:\Program Files\Aspell\unins000.exe"
GTK+ Runtime 2.10.6 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Intel® PROSet II --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Intel\PROSet\PROUnins.isu" -c"C:\Program Files\Intel\PROSet\PROInst.DLL"
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
Java 2 Runtime Environment Standard Edition v1.3 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3\Uninst.isu"
Kaspersky Online Scanner --> C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINNT\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Outlook 2002 --> MsiExec.exe /I{911A0409-6000-11D3-8CFE-0050048383C9}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
NETGEAR 108 Mbps Wireless PC Card WG511T --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9D20484-D3CC-4CD2-B1ED-B72A9CEFD45D}\Setup.exe" -l0x9
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Security Update for DirectX 8 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX8$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Stonefield Query for CM-DART --> MsiExec.exe /X{EDE52F05-EE32-4FC9-BBFF-01E826D606B0}
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Symantec Technical Support Web Controls --> MsiExec.exe /X{C4868E88-F5B5-4E45-9592-C7062BD97441}
TN3270 Plus --> C:\WINNT\IsUninst.exe -f"C:\Program Files\SDI\TN3270 Plus\Uninst.isu"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1534 / Warning
Event Submitted/Written: 05/23/2008 05:03:19 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type1533 / Warning
Event Submitted/Written: 05/23/2008 05:02:52 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type1525 / Error
Event Submitted/Written: 05/23/2008 06:03:05 AM
Event ID/Source: 2001 / rasctrs
Event Description:


Event Record #/Type1524 / Error
Event Submitted/Written: 05/23/2008 06:03:04 AM
Event ID/Source: 2002 / PerfNet
Event Description:
Unable to open the Redirector service. Redirector performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1523 / Error
Event Submitted/Written: 05/23/2008 06:03:04 AM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9025 / Warning
Event Submitted/Written: 05/23/2008 05:00:40 PM
Event ID/Source: 54 / w32time
Event Description:
The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible.

Event Record #/Type9021 / Error
Event Submitted/Written: 05/23/2008 04:59:58 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Windows NT or Windows 2000 Domain Controller is available for domain LABOR1.
The following error occurred:
%%1311

Event Record #/Type9019 / Error
Event Submitted/Written: 05/23/2008 04:57:41 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

Event Record #/Type9018 / Error
Event Submitted/Written: 05/23/2008 07:06:47 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1077

Event Record #/Type9017 / Error
Event Submitted/Written: 05/23/2008 07:05:46 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1077



-- End of Deckard's System Scanner: finished at 2008-05-23 17:36:37 ------------

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:55 AM

Posted 24 May 2008 - 07:24 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 elleren

elleren
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:vermont
  • Local time:04:55 AM

Posted 27 May 2008 - 07:47 AM

I don't have the windows 2000 disks handy for the recovery console.


ComboFix 08-05-26.2 - jlucia 05/27/2008 8:12:39.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\jlucia.LUCIAJLAPT\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\Downloaded Program Files\setup.inf
C:\WINNT\gnowmebk.dll
C:\WINNT\nldfmtappdm.dll
C:\WINNT\nldfmtappek.dll
C:\WINNT\nldfmtapxqm.dll
C:\WINNT\resources\AlrtUnknown.dll
C:\WINNT\resources\CDCheck.dll
C:\WINNT\system32\cbXRIcCU.dll
C:\WINNT\system32\dmjsqust.ini
C:\WINNT\system32\fccaBTjk.dll
C:\WINNT\system32\hpsrciiq.ini
C:\WINNT\system32\idsievwi.ini
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\qiicrsph.dll
C:\WINNT\system32\roxvsnii.ini
C:\WINNT\system32\UCcIRXbc.ini
C:\WINNT\system32\UCcIRXbc.ini2
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-24 19:13 . 05/24/08 07:13p 464,788 ---h----- C:\WINNT\ShellIconCache
2008-05-24 15:56 . 05/24/08 03:56p <DIR> d-------- C:\iSecurity
2008-05-23 18:51 . 05/22/08 10:25p 94,208 --a------ C:\WINNT\epse.exe
2008-05-23 17:33 . 05/23/08 05:33p <DIR> d-------- C:\Deckard
2008-05-23 17:31 . 05/23/08 05:32p <DIR> d-------- C:\dss
2008-05-23 17:23 . 05/23/08 05:23p <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-23 17:23 . 05/23/08 05:23p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:09 . 05/23/08 05:09p <DIR> d-------- C:\hjt
2008-05-23 17:05 . 05/24/08 07:38a <DIR> d-------- C:\WINNT\system32\566828
2008-05-20 21:35 . 05/20/08 09:35p <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 19:52 . 05/19/08 07:52p <DIR> d-------- C:\WINNT\ERUNT
2008-05-19 19:51 . 05/24/08 07:11p <DIR> d-------- C:\SDFix
2008-05-19 19:50 . 05/19/08 07:53p <DIR> d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\U3
2008-05-19 18:26 . 05/19/08 11:48a 94,208 --a------ C:\WINNT\ednb.exe
2008-05-18 23:42 . 05/18/08 11:42p <DIR> d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\TmpRecentIcons
2008-05-18 07:42 . 05/27/08 08:16a <DIR> d-------- C:\WINNT\Resources
2008-05-18 03:00 . 05/24/08 07:38a <DIR> d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\TmpRecentIcons
2008-05-18 01:40 . 05/17/08 05:15p 139,264 --a------ C:\WINNT\esta.exe
2008-05-18 01:40 . 05/22/08 10:25p 81,920 --a------ C:\WINNT\mdtgkswr.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 21:28 --------- d--h--w C:\Program Files\Spybot - Search & Destroy
2008-05-21 21:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 13:09 --------- d--h--w C:\Program Files\Trillian
2005-10-29 17:29 271 ---h--w C:\Program Files\desktop.ini
2005-10-29 17:29 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 06:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{220A105A-16EE-44C1-A4C8-AD76C709FC1D}]
C:\WINNT\system32\566828\566828.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C9A66198-D585-4160-A963-A889176926B0}"= "C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp\ac8zt2\gktxaspm.dll" [ ]
"{6E90A503-DDFD-4CC5-9628-0391A05E7212}"= "C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp\ac8zt2\gktxaspm.dll" [ ]
"{0983040A-984F-4BEF-BEBE-D3D3342D3954}"= "C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp\ac8zt2\gktxaspm.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{c9a66198-d585-4160-a963-a889176926b0}]
[HKEY_CLASSES_ROOT\gktxaspm.1]
[HKEY_CLASSES_ROOT\TypeLib\{4FF6AC4F-E0D8-40C3-BAE6-E1C9DEF2C03F}]
[HKEY_CLASSES_ROOT\gktxaspm]

[HKEY_CLASSES_ROOT\clsid\{6e90a503-ddfd-4cc5-9628-0391a05e7212}]
[HKEY_CLASSES_ROOT\gktxaspm.1]
[HKEY_CLASSES_ROOT\TypeLib\{6E49E3EC-EBA4-4AE4-A895-8939ADD32FA8}]
[HKEY_CLASSES_ROOT\gktxaspm]

[HKEY_CLASSES_ROOT\clsid\{0983040a-984f-4bef-bebe-d3d3342d3954}]
[HKEY_CLASSES_ROOT\gktxaspm.1]
[HKEY_CLASSES_ROOT\TypeLib\{3B1BB93D-8DA6-4F13-87D8-2501003E2236}]
[HKEY_CLASSES_ROOT\gktxaspm]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/06 04:24p 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/14/06 06:46p 282624]
"AtiPTA"="Atiptaxx.exe" [07/05/01 02:53p 217088 C:\WINNT\system32\atiptaxx.exe]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [01/20/06 02:14p 1122412]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/03 02:21a 90112]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gnowmebk"= {AA38BD74-77DE-43C3-8C66-920B722CE39F} - C:\WINNT\gnowmebk.dll [ ]
"pxgdslro"= {37AB7173-F901-4029-ADD5-E5A11DBBF781} - C:\WINNT\pxgdslro.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll


*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 08:24:37
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\NavLogon.dll
.
Completion time: 05/27/2008 8:32:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 12:31:47

Pre-Run: 7,502,233,600 bytes free
Post-Run: 7,597,846,528 bytes free

116 --- E O F --- 2008-05-16 00:12:25

Deckard's System Scanner v20071014.68
Run by jlucia on 2008-05-27 08:35:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as jlucia.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:36, on 2008-05-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\system32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
c:\ICA Client\ssonsvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\explorer.exe
C:\dss\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jlucia.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 566828 helper - {220A105A-16EE-44C1-A4C8-AD76C709FC1D} - C:\WINNT\system32\566828\566828.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: gktxaspm - {C9A66198-D585-4160-A963-A889176926B0} - C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp\ac8zt2\gktxaspm.dll (file missing)
O3 - Toolbar: gktxaspm - {6E90A503-DDFD-4CC5-9628-0391A05E7212} - C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp\ac8zt2\gktxaspm.dll (file missing)
O3 - Toolbar: gktxaspm - {0983040A-984F-4BEF-BEBE-D3D3342D3954} - C:\DOCUME~1\JLUCIA~1.LAB\LOCALS~1\Temp\ac8zt2\gktxaspm.dll (file missing)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O21 - SSODL: gnowmebk - {AA38BD74-77DE-43C3-8C66-920B722CE39F} - C:\WINNT\gnowmebk.dll (file missing)
O21 - SSODL: pxgdslro - {37AB7173-F901-4029-ADD5-E5A11DBBF781} - C:\WINNT\pxgdslro.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 4519 bytes

-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-27 08:10:24 68096 --a------ C:\WINNT\zip.exe
2008-05-27 08:10:24 49152 --a------ C:\WINNT\VFind.exe
2008-05-27 08:10:24 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-27 08:10:24 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-27 08:10:24 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-27 08:10:24 98816 --a------ C:\WINNT\sed.exe
2008-05-27 08:10:24 80412 --a------ C:\WINNT\grep.exe
2008-05-27 08:10:24 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-24 19:13:46 464788 ---h----- C:\WINNT\ShellIconCache
2008-05-24 15:56:59 0 d-------- C:\iSecurity
2008-05-23 18:51:06 94208 --a------ C:\WINNT\epse.exe
2008-05-23 17:31:54 0 d-------- C:\dss
2008-05-23 17:23:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:23:39 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-23 17:09:12 0 d-------- C:\hjt
2008-05-23 17:05:43 0 d-------- C:\WINNT\system32\566828
2008-05-20 21:35:30 0 d-------- C:\Program Files\Trend Micro
2008-05-19 19:52:08 0 d-------- C:\WINNT\ERUNT
2008-05-19 19:50:28 0 d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\U3
2008-05-19 18:26:12 94208 --a------ C:\WINNT\ednb.exe
2008-05-18 23:42:34 0 d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\TmpRecentIcons
2008-05-18 07:42:57 0 d-------- C:\WINNT\Resources
2008-05-18 03:00:00 0 d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\TmpRecentIcons
2008-05-18 01:40:19 81920 --a------ C:\WINNT\mdtgkswr.exe
2008-05-18 01:40:18 139264 --a------ C:\WINNT\esta.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-18 09:09:06 0 d--h----- C:\Program Files\Trillian
2008-05-18 07:50:16 0 d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{220A105A-16EE-44C1-A4C8-AD76C709FC1D}]
C:\WINNT\system32\566828\566828.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-06-14 16:24 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-14 18:46 ]
"AtiPTA"="Atiptaxx.exe" [01-07-05 14:53 C:\WINNT\system32\atiptaxx.exe]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [06-01-20 14:14 ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03-05-21 02:21 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gnowmebk"= {AA38BD74-77DE-43C3-8C66-920B722CE39F} - C:\WINNT\gnowmebk.dll [ ]
"pxgdslro"= {37AB7173-F901-4029-ADD5-E5A11DBBF781} - C:\WINNT\pxgdslro.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - IPNAT
*Newly Created Service* - PSEXESVC
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS



-- End of Deckard's System Scanner: finished at 2008-05-27 08:36:36 ------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:55 AM

Posted 27 May 2008 - 08:00 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINNT\epse.exe
C:\WINNT\ednb.exe
C:\WINNT\esta.exe
C:\WINNT\mdtgkswr.exe
Folder::
C:\WINNT\system32\566828
C:\iSecurity
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{220A105A-16EE-44C1-A4C8-AD76C709FC1D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C9A66198-D585-4160-A963-A889176926B0}"=-
"{6E90A503-DDFD-4CC5-9628-0391A05E7212}"=-
"{0983040A-984F-4BEF-BEBE-D3D3342D3954}"=-
[-HKEY_CLASSES_ROOT\clsid\{c9a66198-d585-4160-a963-a889176926b0}]
[-HKEY_CLASSES_ROOT\TypeLib\{4FF6AC4F-E0D8-40C3-BAE6-E1C9DEF2C03F}]
[-HKEY_CLASSES_ROOT\clsid\{6e90a503-ddfd-4cc5-9628-0391a05e7212}]
[-HKEY_CLASSES_ROOT\TypeLib\{6E49E3EC-EBA4-4AE4-A895-8939ADD32FA8}]
[-HKEY_CLASSES_ROOT\clsid\{0983040a-984f-4bef-bebe-d3d3342d3954}]
[-HKEY_CLASSES_ROOT\gktxaspm.1]
[-HKEY_CLASSES_ROOT\TypeLib\{3B1BB93D-8DA6-4F13-87D8-2501003E2236}]
[-HKEY_CLASSES_ROOT\gktxaspm]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gnowmebk"=-
"pxgdslro"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 elleren

elleren
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:vermont
  • Local time:04:55 AM

Posted 27 May 2008 - 08:42 AM

I ran the script twice because it threw an error about not being able to import a non-registry file?
Attached are both logs and the new hijackthis log.

ComboFix 08-05-26.2 - jlucia 2008-05-27 9:07:29.2 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.239 [GMT -4:00]
Running from: C:\Documents and Settings\jlucia.LUCIAJLAPT\Desktop\ComboFix.exe
Command switches used :: A:\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\ednb.exe
C:\WINNT\epse.exe
C:\WINNT\esta.exe
C:\WINNT\mdtgkswr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
ComboFix 08-05-26.2 - jlucia 2008-05-27 9:26:30.3 - NTFSx86
Running from: C:\Documents and Settings\jlucia.LABOR1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jlucia.LABOR1\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\ednb.exe
C:\WINNT\epse.exe
C:\WINNT\esta.exe
C:\WINNT\mdtgkswr.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-23 17:33 . 08-05-23 17:33 <DIR> d-------- C:\Deckard
2008-05-23 17:31 . 08-05-23 17:32 <DIR> d-------- C:\dss
2008-05-23 17:23 . 08-05-23 17:23 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-23 17:23 . 08-05-23 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:09 . 08-05-23 17:09 <DIR> d-------- C:\hjt
2008-05-20 21:35 . 08-05-20 21:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 19:52 . 08-05-19 19:52 <DIR> d-------- C:\WINNT\ERUNT
2008-05-19 19:51 . 08-05-27 08:57 <DIR> d-------- C:\SDFix
2008-05-19 19:50 . 08-05-19 19:53 <DIR> d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\U3
2008-05-18 23:42 . 08-05-18 23:42 <DIR> d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\TmpRecentIcons
2008-05-18 07:42 . 08-05-27 08:16 <DIR> d-------- C:\WINNT\Resources
2008-05-18 03:00 . 08-05-24 07:38 <DIR> d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 21:28 --------- d--h--w C:\Program Files\Spybot - Search & Destroy
2008-05-21 21:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 13:09 --------- d--h--w C:\Program Files\Trillian
2008-03-27 07:13 151,583 ----a-w C:\WINNT\system32\msjint40.dll
2008-03-27 07:06 355,104 ----a-w C:\WINNT\system32\msxbde40.dll
2008-03-27 07:05 838,432 ----a-w C:\WINNT\system32\mswdat10.dll
2008-03-27 07:05 621,344 ----a-w C:\WINNT\system32\mswstr10.dll
2008-03-27 07:05 264,992 ----a-w C:\WINNT\system32\mstext40.dll
2008-03-27 07:04 559,904 ----a-w C:\WINNT\system32\msrepl40.dll
2008-03-27 07:04 432,928 ----a-w C:\WINNT\system32\msrd2x40.dll
2008-03-27 07:04 322,336 ----a-w C:\WINNT\system32\msrd3x40.dll
2008-03-27 07:03 355,104 ----a-w C:\WINNT\system32\mspbde40.dll
2008-03-27 07:03 248,608 ----a-w C:\WINNT\system32\msjtes40.dll
2008-03-27 07:03 219,936 ----a-w C:\WINNT\system32\msltus40.dll
2008-03-27 07:02 60,192 ----a-w C:\WINNT\system32\msjter40.dll
2008-03-27 07:02 355,112 ----a-w C:\WINNT\system32\msjetoledb40.dll
2008-03-27 07:01 1,516,568 ----a-w C:\WINNT\system32\msjet40.dll
2008-03-27 07:00 518,944 ----a-w C:\WINNT\system32\msexch40.dll
2008-03-27 07:00 326,432 ----a-w C:\WINNT\system32\msexcl40.dll
2008-03-19 09:26 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
2005-10-29 17:29 271 ---h--w C:\Program Files\desktop.ini
2005-10-29 17:29 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 06:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-14 18:46 282624]
"AtiPTA"="Atiptaxx.exe" [01-07-05 14:53 217088 C:\WINNT\system32\atiptaxx.exe]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [06-01-20 14:14 1122412]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03-05-21 02:21 90112]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R2 cpqdiag;Compaq Diagnostics Driver;C:\WINNT\system32\drivers\cpqdiag.sys [01-06-20 16:04 ]
R2 NMSSvc;Intel® NMS;C:\WINNT\system32\NMSSvc.exe [02-05-13 04:02 ]
R3 ati2mpab;ati2mpab;C:\WINNT\system32\DRIVERS\ati2mpab.sys [01-08-08 16:00 ]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINNT\system32\AWINDIS5.SYS [02-04-11 17:43 ]
R3 maestro;ESS Maestro2E Audio Driver (WDM);C:\WINNT\system32\drivers\maestro.sys [02-02-07 16:27 ]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [02-05-13 04:02 ]
S3 MaestroMPU;ESS Maestro2E MPU401 Driver (WDM);C:\WINNT\system32\drivers\msmpu401.sys [99-09-25 06:35 ]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\WINNT\system32\DRIVERS\wg511nd5.sys [05-07-25 16:48 ]
S3 XI800;Z-Com Wireless LAN Driver;C:\WINNT\system32\DRIVERS\XI800NDS.sys [02-01-04 22:58 ]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 09:30:21
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\NavLogon.dll
.
Completion time: 2008-05-27 9:33:38
ComboFix-quarantined-files.txt 2008-05-27 13:32:38
ComboFix2.txt 2008-05-27 13:12:37
ComboFix3.txt 2008-05-27 12:32:01

Pre-Run: 7,601,401,856 bytes free
Post-Run: 7,595,163,648 bytes free

98 --- E O F --- 2008-05-16 00:12:25

C:\iSecurity
C:\WINNT\ednb.exe
C:\WINNT\epse.exe
C:\WINNT\esta.exe
C:\WINNT\mdtgkswr.exe
C:\WINNT\system32\566828

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 09:07 . 08-05-27 09:07 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_184.dat
2008-05-24 19:13 . 08-05-27 08:57 465,694 ---h----- C:\WINNT\ShellIconCache
2008-05-23 17:33 . 08-05-23 17:33 <DIR> d-------- C:\Deckard
2008-05-23 17:31 . 08-05-23 17:32 <DIR> d-------- C:\dss
2008-05-23 17:23 . 08-05-23 17:23 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-23 17:23 . 08-05-23 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:09 . 08-05-23 17:09 <DIR> d-------- C:\hjt
2008-05-20 21:35 . 08-05-20 21:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 19:52 . 08-05-19 19:52 <DIR> d-------- C:\WINNT\ERUNT
2008-05-19 19:51 . 08-05-27 08:57 <DIR> d-------- C:\SDFix
2008-05-19 19:50 . 08-05-19 19:53 <DIR> d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\U3
2008-05-18 23:42 . 08-05-18 23:42 <DIR> d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\TmpRecentIcons
2008-05-18 07:42 . 08-05-27 08:16 <DIR> d-------- C:\WINNT\Resources
2008-05-18 03:00 . 08-05-24 07:38 <DIR> d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 21:28 --------- d--h--w C:\Program Files\Spybot - Search & Destroy
2008-05-21 21:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 13:09 --------- d--h--w C:\Program Files\Trillian
2008-03-27 07:13 151,583 ----a-w C:\WINNT\system32\msjint40.dll
2008-03-27 07:06 355,104 ----a-w C:\WINNT\system32\msxbde40.dll
2008-03-27 07:05 838,432 ----a-w C:\WINNT\system32\mswdat10.dll
2008-03-27 07:05 621,344 ----a-w C:\WINNT\system32\mswstr10.dll
2008-03-27 07:05 264,992 ----a-w C:\WINNT\system32\mstext40.dll
2008-03-27 07:04 559,904 ----a-w C:\WINNT\system32\msrepl40.dll
2008-03-27 07:04 432,928 ----a-w C:\WINNT\system32\msrd2x40.dll
2008-03-27 07:04 322,336 ----a-w C:\WINNT\system32\msrd3x40.dll
2008-03-27 07:03 355,104 ----a-w C:\WINNT\system32\mspbde40.dll
2008-03-27 07:03 248,608 ----a-w C:\WINNT\system32\msjtes40.dll
2008-03-27 07:03 219,936 ----a-w C:\WINNT\system32\msltus40.dll
2008-03-27 07:02 60,192 ----a-w C:\WINNT\system32\msjter40.dll
2008-03-27 07:02 355,112 ----a-w C:\WINNT\system32\msjetoledb40.dll
2008-03-27 07:01 1,516,568 ----a-w C:\WINNT\system32\msjet40.dll
2008-03-27 07:00 518,944 ----a-w C:\WINNT\system32\msexch40.dll
2008-03-27 07:00 326,432 ----a-w C:\WINNT\system32\msexcl40.dll
2008-03-19 09:26 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
2005-10-29 17:29 271 ---h--w C:\Program Files\desktop.ini
2005-10-29 17:29 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 06:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB4592"="command /c del C:\WINNT\system32\cbXRIcCU.dll" [ ]
"SpybotDeletingD9720"="cmd /c del C:\WINNT\system32\cbXRIcCU.dll" [ ]
"SpybotDeletingB6064"="command /c del C:\WINNT\pxgdslro.dll_old" [ ]
"SpybotDeletingD7165"="cmd /c del C:\WINNT\pxgdslro.dll_old" [ ]
"SpybotDeletingB5964"="command /c del C:\WINNT\gktxaspm.dll_old" [ ]
"SpybotDeletingD9846"="cmd /c del C:\WINNT\gktxaspm.dll_old" [ ]
"SpybotDeletingB8418"="command /c del C:\WINNT\system32\cbXRIcCU.dll" [ ]
"SpybotDeletingD4527"="cmd /c del C:\WINNT\system32\cbXRIcCU.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-14 18:46 282624]
"AtiPTA"="Atiptaxx.exe" [01-07-05 14:53 217088 C:\WINNT\system32\atiptaxx.exe]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [06-01-20 14:14 1122412]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03-05-21 02:21 90112]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

S2 cpqdiag;Compaq Diagnostics Driver;C:\WINNT\system32\drivers\cpqdiag.sys [01-06-20 16:04 ]
S2 NMSSvc;Intel® NMS;C:\WINNT\system32\NMSSvc.exe [02-05-13 04:02 ]
S3 ati2mpab;ati2mpab;C:\WINNT\system32\DRIVERS\ati2mpab.sys [01-08-08 16:00 ]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINNT\system32\AWINDIS5.SYS [02-04-11 17:43 ]
S3 maestro;ESS Maestro2E Audio Driver (WDM);C:\WINNT\system32\drivers\maestro.sys [02-02-07 16:27 ]
S3 MaestroMPU;ESS Maestro2E MPU401 Driver (WDM);C:\WINNT\system32\drivers\msmpu401.sys [99-09-25 06:35 ]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\WINNT\system32\DRIVERS\wg511nd5.sys [05-07-25 16:48 ]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [02-05-13 04:02 ]
S3 XI800;Z-Com Wireless LAN Driver;C:\WINNT\system32\DRIVERS\XI800NDS.sys [02-01-04 22:58 ]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 09:10:36
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\NavLogon.dll
.
Completion time: 2008-05-27 9:12:36
ComboFix-quarantined-files.txt 2008-05-27 13:12:31
ComboFix2.txt 2008-05-27 12:32:01

Pre-Run: 7,603,523,584 bytes free
Post-Run: 7,596,871,680 bytes free

123 --- E O F --- 2008-05-16 00:12:25
Deckard's System Scanner v20071014.68
Run by jlucia on 2008-05-27 09:36:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as jlucia.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:36, on 2008-05-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\system32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
c:\ICA Client\ssonsvr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\dss\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jlucia.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 3771 bytes

-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-27 09:25:35 68096 --a------ C:\WINNT\zip.exe
2008-05-27 09:25:35 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-27 09:25:35 98816 --a------ C:\WINNT\sed.exe
2008-05-27 09:25:35 80412 --a------ C:\WINNT\grep.exe
2008-05-27 09:25:35 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-27 09:25:34 49152 --a------ C:\WINNT\VFind.exe
2008-05-27 09:25:34 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-27 09:25:34 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-23 17:31:54 0 d-------- C:\dss
2008-05-23 17:23:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:23:39 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-23 17:09:12 0 d-------- C:\hjt
2008-05-20 21:35:30 0 d-------- C:\Program Files\Trend Micro
2008-05-19 19:52:08 0 d-------- C:\WINNT\ERUNT
2008-05-19 19:50:28 0 d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\U3
2008-05-18 23:42:34 0 d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\TmpRecentIcons
2008-05-18 07:42:57 0 d-------- C:\WINNT\Resources
2008-05-18 03:00:00 0 d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

2008-05-18 09:09:06 0 d--h----- C:\Program Files\Trillian
2008-05-18 07:50:16 0 d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-06-14 16:24 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-14 18:46 ]
"AtiPTA"="Atiptaxx.exe" [01-07-05 14:53 C:\WINNT\system32\atiptaxx.exe]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [06-01-20 14:14 ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03-05-21 02:21 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - PSEXESVC



-- End of Deckard's System Scanner: finished at 2008-05-27 09:36:58 ------------

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:55 AM

Posted 27 May 2008 - 08:49 AM

Hi,

Your logs are a bit confusing - because the second one shows malware related entries in the Registry, but that could be because you enabled Teatimer in between..

So not sure here if the latest log from Deckard System scanner is really the latest log...

Anyway, * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "Privacy Protection" and press the delete button on the right.
Hit ok below > apply in previous window.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 elleren

elleren
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:vermont
  • Local time:04:55 AM

Posted 27 May 2008 - 09:00 AM

Deckard's System Scanner v20071014.68
Run by jlucia on 2008-05-27 09:57:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as jlucia.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:57, on 2008-05-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINNT\system32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
c:\ICA Client\ssonsvr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\dss\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jlucia.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = labor1.labor.state.vt.us
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 3425 bytes

-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-23 17:31:54 0 d-------- C:\dss
2008-05-23 17:23:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:23:39 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-23 17:09:12 0 d-------- C:\hjt
2008-05-20 21:35:30 0 d-------- C:\Program Files\Trend Micro
2008-05-19 19:52:08 0 d-------- C:\WINNT\ERUNT
2008-05-19 19:50:28 0 d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\U3
2008-05-18 23:42:34 0 d-------- C:\Documents and Settings\jlucia.LUCIAJLAPT\Application Data\TmpRecentIcons
2008-05-18 07:42:57 0 d-------- C:\WINNT\Resources
2008-05-18 03:00:00 0 d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

2008-05-18 09:09:06 0 d--h----- C:\Program Files\Trillian
2008-05-18 07:50:16 0 d-------- C:\Documents and Settings\jlucia.LABOR1\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-06-14 16:24 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-14 18:46 ]
"AtiPTA"="Atiptaxx.exe" [01-07-05 14:53 C:\WINNT\system32\atiptaxx.exe]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [06-01-20 14:14 ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03-05-21 02:21 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - PSEXESVC



-- End of Deckard's System Scanner: finished at 2008-05-27 09:57:55 ------------

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:55 AM

Posted 27 May 2008 - 09:15 AM

This looks Ok again.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 elleren

elleren
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:vermont
  • Local time:04:55 AM

Posted 27 May 2008 - 09:49 AM

it appears to be clean now, running spybot again just for a double-check. Thanks very much for all your help. :thumbsup:
Now I'll upgrade norton antivirus and enable tea-timer and hopefully not have any more issues.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:55 AM

Posted 27 May 2008 - 09:59 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:55 AM

Posted 28 May 2008 - 10:51 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users