Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A.doginhispen And Netmon.exe Infections


  • Please log in to reply
12 replies to this topic

#1 boomstick

boomstick

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 05 July 2008 - 10:13 AM

I made a huge mistake while browsing a long time ago. I had my browser (IE) locked down in terms of protections, so it was constantly asking me if I wanted to "allow software like ActiveX controls and plug-ins to run". Unfortunately I picked the worst time to get lazy and miss the "no" button while I was somewhere that I really didn't need to be in the first place....and a deluge of stuff started being downloaded onto my machine. I tried to kill the process as fast as I could, but the damage was done.

I have a doginhispen/whataboutadog infection (HJT shows them as being added as trusted zones) and a netmon.exe infection that worries me more. There may well be others too.

Hmmm....I forgot about this HJT entry, clearly rogue...but I don't know if it's part of the same trojan/worm/whatever as netmon.exe or an additional one:
C:\WINDOWS\dGhhZGxvYw\command.exe
You don't have to know to much about HJT logs to know that is not a good process. Also, those two processes (netmon.exe and command.exe) run continuously as system processes and can't be killed (at least not through the task manager.) More details keep coming to me it seems so I'm probably forgetting more, but I'm guessing that you already have a pretty good feel for what's going on on my machine.

I've run Deckard's System Scanner and I'll post the results.

I could find the manual removal instructions for a.doginhispen and possibly as well for netmon.exe, but I don't know what else there may be, and I don't know what automated removal tools there are that might be better choices...so it seemed like a good idea to consult experts on the subject of malware removal.

One more note: netmon I assume is allowing someone else - automated I would assume - access to my machine. I didn't realize this until one day I woke up and found SpyDefender Pro installed on it, and obviously I hadn't done this (or ever even heard of it, but it must be rogue if it's installed in this manner.) Then it dawned on me to check in event viewer and it appeared to show someone or something pretty continuously logging on and off my machine.

Oh, one further note: the bottom of the extra.txt log shows some master browser and IP address issues from a few days ago. This can be ignored I believe as it was the result of a problem with the free high speed access thru my apartment complex. They somehow had a situation where (as they described it) someone hooked up a router incorrectly and it was giving out DHCP addresses rather than the server that should have been doing that, and so our access was in and out for a period.

I thank you in advance for your help!


main.txt:

Deckard's System Scanner v20071014.68
Run by thadloc on 2008-07-05 08:33:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-05 13:33:43 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as thadloc.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:03 AM, on 7/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\dGhhZGxvYw\command.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\bak\wltray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\thadloc\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\thadloc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://srqrah.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKUS\S-1-5-21-598665437-4088190255-1608279117-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Startup: Iomega Product Registration.lnk = C:\Program Files\Iomega\Registration\Register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.adultdvdmarketplace.com
O15 - Trusted Zone: http://www.allmovie.com
O15 - Trusted Zone: http://www.allmusic.com
O15 - Trusted Zone: *.allmusic.com
O15 - Trusted Zone: http://www.collegefootballnews.com
O15 - Trusted Zone: http://www.covers.com
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.foxsports.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125297656687
O16 - DPF: {7A7641DA-05B6-11D4-ACD7-0050DAB78810} (DSIDisplay.DisplayDoc) - http://tpd.ci.toledo.oh.us/CABS/DSIDisplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...317/mcfscan.cab
O18 - Filter hijack: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\q068laju1do8.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\KUDCZ1.DLL (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dGhhZGxvYw\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Windows Overlay Components - Conexant Systems - (no file)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9044 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Iomega Disk Filter Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>

S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 cmdService (Command Service) - c:\windows\dghhzgxvyw\command.exe
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
R2 Network Monitor - c:\program files\network monitor\netmon.exe service
R2 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>

S2 Windows Overlay Components -
S4 Iomega Activity Disk2 - ""


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2002-02-12 00:54:33 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-04 07:15:50 0 d-------- C:\Program Files\Common Files\Nero
2008-07-04 07:12:59 106496 --a------ C:\WINDOWS\System32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-07-04 07:12:55 471040 -----n--- C:\WINDOWS\System32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-07-04 07:12:55 262144 -----n--- C:\WINDOWS\System32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-07-04 07:12:55 1568768 -----n--- C:\WINDOWS\System32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-07-04 07:12:53 155648 --a------ C:\WINDOWS\System32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-07-04 07:12:48 0 d-------- C:\Program Files\Common Files\Ahead
2008-07-04 07:12:46 0 d-------- C:\Program Files\Ahead


-- Find3M Report ---------------------------------------------------------------

2008-07-04 07:15:50 0 d-------- C:\Program Files\Common Files
2008-06-26 16:57:27 15 --a------ C:\WINDOWS\E58C-4D46-3725-A1AF.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="C:\WINDOWS\System32\wltray.exe" [10/03/2007 11:13 AM]
"TraySantaCruz"="C:\WINDOWS\SYSTEM32\tbctray.exe" [10/03/2007 11:13 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/03/2007 11:13 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/03/2007 11:13 AM]
"POINTER"="point32.exe" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [10/03/2007 11:13 AM]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [10/03/2007 11:13 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/03/2007 11:13 AM]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [10/03/2007 11:13 AM]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [10/03/2007 11:13 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [10/03/2007 11:13 AM]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [10/09/2007 03:24 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [11/15/2004 04:18 PM]
"AIM"="C:\Program Files\AIM95\aim.exe" [07/20/2001 06:10 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"MPlayer2_FixUp"=C:\WINDOWS\inf\unregmp2.exe /Fixups

C:\Documents and Settings\thadloc\Start Menu\Programs\Startup\
DESKTOP.INI [9/20/2001 12:17:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\StillImage]
C:\WINDOWS\system32\q068laju1do8.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Syncmgr]
C:\WINDOWS\system32\KUDCZ1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - NMSCFG



-- End of Deckard's System Scanner: finished at 2008-07-05 09:05:25 ------------




extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.90GHz
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 255.01 MiB / 57.37 MiB
Pagefile Memory (total/avail): 615.17 MiB / 427.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.91 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 25.97 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR 6L080L4 - 74.55 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\thadloc\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GANGSTAPC
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\thadloc
LOGONSERVER=\\GANGSTAPC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\PROGRA~1\COMMON~1\MGISHA~1\Video;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\thadloc\LOCALS~1\Temp
TMP=C:\DOCUME~1\thadloc\LOCALS~1\Temp
USERDOMAIN=GANGSTAPC
USERNAME=thadloc
USERPROFILE=C:\Documents and Settings\thadloc
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
thadloc (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
All Video Joiner 1.5.5 --> "C:\Program Files\All Video Joiner\unins000.exe"
AOL Instant Messenger (SM) --> C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
AVS Video Converter 4.3.1.370 --> "C:\Program Files\AVSMedia\VideoConverter4\unins000.exe"
Belkin Wireless Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80CD64AA-7406-4508-BFDF-2DFE7F1F8EF0}\setup.exe" -l0x9
Click 'N Burn CD & DVD --> "C:\Program Files\Click 'N Burn CD & DVD\unins000.exe"
Command --> wscript "C:\WINDOWS\dGhhZGxvYw\x311t3USsT.vbs"
Conexant HSF V92 56K RTAD Speakerphone PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\SETUP.EXE -U -CMODEM -BPCI -IVEN_14F1&DEV_2016&SUBSYS_021913E0
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell Picture Studio - Image Expert 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sierra Imaging\Image Expert 2000\Uninst.isu" -c"C:\Program Files\Sierra Imaging\Image Expert 2000\uninstall.dll
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellTouch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Forethought --> C:\WINDOWS\System32\bez6n4r21.exe -iISTsDgvL
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® PROSet II --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\PROSet\PROUnins.isu" -c"C:\Program Files\Intel\PROSet\PROInst.DLL"
Internet Optimizer --> "C:\Program Files\Internet Optimizer\optimize.exe" /u
Iomega DVD Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C53CCE8A-8DEE-4E2C-8A4D-425F0FF70471}\Setup.exe" -l0x9
Iomega HotBurn Pro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CCB1507A-AAEA-4778-AC4B-DD5EAB1A961E}\Setup.exe" -l0x9 UNINSTALL
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MetaProducts Download Express --> C:\Program Files\Download Express\dep.exe /UnInstall
MetaProducts Mass Downloader --> C:\Program Files\Mass Downloader\massdown.exe /UnInstall
MGI VideoWave 4 --> MsiExec.exe /I{1CB63C5C-DA69-4793-BD35-43BDE2A86D43}
Microsoft Interactive Training --> C:\Program Files\MSPress\Training\lunins32_s.exe
Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Office Live Meeting --> C:\Program Files\Microsoft Office\Live Meeting\Quicksilver\quicksilver.exe -UALL
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\SETUP.EXE" ControlPanel
MusicMatch Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MusicMatch\MusicMatch Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
Norton AntiVirus 2002 --> MsiExec.exe /I{3075C5C3-0807-4924-AF8F-FF27052C12AE}
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
Outlook Express Q837009 --> C:\WINDOWS\oeuninst.exe C:\WINDOWS\INF\Q837009.inf
Paltalk Messenger --> "C:\WINDOWS\Paltalk Messenger\uninstall.exe" "/U:C:\Program Files\Paltalk Messenger\irunin.xml"
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C1}\setup.exe" ControlPanel
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Quicklinks --> "C:\WINDOWS\System32\iqqr.exe" -gDGy
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Santa Cruz --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4D58580-EA01-11D3-9318-008048B86EFE}\setup.exe"
SBC Yahoo! DSL Activation --> C:\PROGRA~1\Yahoo!\common\undsldlk.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
SpyDefender Pro --> "C:\Program Files\SpyDefender Pro\unins000.exe"
TSA --> C:\WINDOWS\System32\tsuninst.exe /u
UltimateBet --> C:\PROGRA~1\ULTIMA~1\UNWISE.EXE C:\PROGRA~1\ULTIMA~1\INSTALL.LOG
UltimateBuddy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C126F988-02D0-11D7-856C-008048B58084}\setup.exe" -l0x9
Windows Overlay Components --> C:\WINDOWS\offun.exe
Windows XP Service Pack 1a --> C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Messenger Explorer Bar --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type16498 / Error
Event Submitted/Written: 07/02/2008 00:36:12 AM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type16497 / Error
Event Submitted/Written: 06/30/2008 09:44:14 PM
Event ID/Source: 4321 / NetBT
Event Description:
The name "MSHOME :1d" could not be registered on the Interface with IP address 66.242.44.80.
The machine with the IP address 66.242.44.103 did not allow the name to be claimed by
this machine.

Event Record #/Type16496 / Warning
Event Submitted/Written: 06/30/2008 09:42:22 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\AMR on the network \Device\NetBT_Tcpip_{603B959C-E506-49E9-8FE0-005572EA69E3}.
The data is the error code.

Event Record #/Type16495 / Error
Event Submitted/Written: 06/30/2008 09:23:05 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer AMR
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{603B959C-E506-49E9-8FE0.
The master browser is stopping or an election is being forced.

Event Record #/Type16494 / Warning
Event Submitted/Written: 06/27/2008 06:36:15 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-07-05 09:05:25 ------------

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 08 July 2008 - 04:13 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following....


Please go to Start > Control Panel > Add or Remove Programs and remove the following (if present):

Adobe Acrobat 4.0
Coupon Printer for Windows
Forethought
SpyDefender Pro
TSA
UltimateBuddy





NEXT


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.



Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 boomstick

boomstick
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 08 July 2008 - 12:11 PM

Hello fenzodahl512! Thank you so much for taking my thread. With no way of knowing how far behind you guys were (and being a bit scared by the "if you have no response in 5 days" thread, though I understand why it's there)...I was researching and considering accepting the risk (starting over with a fresh install of windows) associated with moving forward on my own. I had determined that others with identical infections to mine (netmon.exe and the specific type of command.exe that I had, primarily) had used ComboFix and SDFix to at least be the first steps in cleaning the machine. But I would have had to continue researching every step of the way and I still wouldn't have any of the experience that you guys have to draw on, so this is a far better solution and I am truly grateful to you for providing me that option.

Over the last few days I did some minor stuff in preparation...like updating my Java. I wanted to get rid of the old one in case it was a security risk even with a newer one in place (that was implied in some of the stuff I read though I'm not sure it's accurate), and I thought using the Microsoft uninstaller would have been the better option than following the manual uninstall instructions. That turned out not to be the case as I happened to fit a special case: it appears that running Microsoft's own tool for removing their Java VM will actually break the Sun Java VM's "applet" tag processing under the conditions on my machine....I believe that's what I read. So I had to go and find the solution to that, which fortunately was out there to be found: uninstall the new Sun JRE, delete a registry key so it will be recreated properly on the Sun JRE install, and reinstall it again. That worked.

Not sure why I felt the need to relay that except I suppose to make the point that doing this on your own where you have to figure everything out for yourself is really doing things the hard way (and I join everyone else in discouraging people from trying it.)



Uninstalling Programs

I removed 4 of the 6. Forethought gave the message it gives when it believes it's already been uninstalled: "An error occurred while trying to remove Forethought. It may have already been uninstalled. Would you like to remove Forethought from the Add or remove programs list?" I said "no" at that point out of curiosity of whether ComboFix would remove it (it did) and figuring that saying yes to that would only remove it from teh list and not really do anything, if anything was left to be removed. I'm not sure whether it truly was gone before that or not, but I believe I removed it a few months or more back.

The last one of the 6 was UltimateBuddy. This is a companion program to UltimateBet (the site on which I play poker) that is used to locate other players and tell which table they are on. I saw that it is classified as malware on bleepingcomputer. Personally I believe this not to be true, it's been on my machine since 2004 when I installed it and I don't think there's any malware related to it, and it itself clearly is not malware. All that being said, if you are truly insistent that I remove it, I can do so and reinstall it after we're done (as I'll use it again.)


ComboFix

I read the guide and followed it to a "t" as they say....but the one issue I had was with disabling Norton Antivirus. I disabled the auto-protect, and set it to not reset on reboot. So far so good. But my older version of the software had different options than the one in the tutorial, and I should have also disabled the anti-scripting portion, which I did not do. So unfortunately that was attempting to interfere with ComboFix while it was running. My instinct is to run ComboFix again, without the anti-scripting interference, but since I have an advisor now I'll defer to you and let you make the call there. It clearly got rid of the worst of the stuff I had, as netmon.exe and command.exe are gone, and that was all but impossible to do manually as they were setup as system processes that I could not end through task manager and recreated registry entries and such. So it clearly had a huge impact, but I can't tell whether the anti-scripting effected its function or not.


Again, thank you so much for your help in guiding me through this. I'm sure there's more to do and I'll be ready when you are able to get back to me. I see a bunch of junk in the HJT log but again I'll defer as you will spot more than I will.



ComboFix 08-07-05.1 - thadloc 2008-07-08 11:23:12.1 - NTFSx86
Running from: C:\Documents and Settings\thadloc\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\thadloc\Application Data\Sskknwrd.dll
C:\Documents and Settings\thadloc\Local Settings\Temporary Internet Files\Ssk.log
C:\Program Files\internet optimizer
C:\Program Files\internet optimizer\optimize.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191428470.old
C:\Program Files\WinBudget\bin\crap.1192760607.old
C:\Program Files\WinBudget\bin\crap.1193983130.old
C:\Program Files\WinBudget\bin\crap.1194675240.old
C:\Program Files\WinBudget\bin\crap.1195288450.old
C:\Program Files\WinBudget\bin\crap.1195970199.old
C:\Program Files\WinBudget\bin\crap.1197912238.old
C:\Program Files\WinBudget\bin\crap.1198517488.old
C:\Program Files\WinBudget\bin\crap.1199252983.old
C:\Program Files\WinBudget\bin\crap.1199859858.old
C:\Program Files\WinBudget\bin\crap.1200470180.old
C:\Program Files\WinBudget\bin\crap.1201084603.old
C:\Program Files\WinBudget\bin\crap.1201344709.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1192760607.old
C:\Program Files\WinBudget\bin\matrix.dll.1193983128.old
C:\Program Files\WinBudget\bin\matrix.dll.1194675239.old
C:\Program Files\WinBudget\bin\matrix.dll.1195288449.old
C:\Program Files\WinBudget\bin\matrix.dll.1195970198.old
C:\Program Files\WinBudget\bin\matrix.dll.1199252982.old
C:\Program Files\WinBudget\bin\matrix.dll.1201344708.old
C:\Program Files\WinBudget\bin\matrix.dll.1202040448.old
C:\Program Files\WinBudget\bin\tempzor
C:\WINDOWS\dGhhZGxvYw\
C:\WINDOWS\dGhhZGxvYw\\asappsrv.dll
C:\WINDOWS\dGhhZGxvYw\\command.exe
C:\WINDOWS\dGhhZGxvYw\\x311t3USsT.vbs
C:\WINDOWS\dGhhZGxvYw\command.exe
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\njpnaibA.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\sysc00.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\teller2.chk
C:\WINDOWS\uni_eh.exe
C:\WINDOWS\unin101.exe
C:\WINDOWS\uninst2.htm
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\unist1.htm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_cmdService
-------\Service_Network Monitor
-------\Service_Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-08 11:28 . 2008-07-08 11:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-07-07 10:59 . 2008-07-07 10:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-07 10:59 . 2008-07-07 10:59 <DIR> d-------- C:\Documents and Settings\thadloc\Application Data\Malwarebytes
2008-07-07 10:59 . 2008-07-07 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-07 10:59 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-07 10:59 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-06 00:12 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-06 00:11 . 2008-07-06 00:12 <DIR> d-------- C:\Program Files\Java
2008-07-06 00:11 . 2008-07-06 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-05 22:32 . 2008-07-05 22:32 <DIR> d-------- C:\WINDOWS\Sun
2008-07-05 20:53 . 2008-07-07 09:49 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-05 08:21 . 2008-07-05 08:21 <DIR> d-------- C:\Deckard
2008-07-05 07:59 . 2008-07-08 09:20 4,195,989 --a------ C:\WINDOWS\pfirewall.log.old
2008-07-04 07:15 . 2008-07-04 07:15 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-04 07:13 . 2004-03-02 16:37 125,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\imagesrv.sys
2008-07-04 07:13 . 2004-03-02 16:37 5,504 --------- C:\WINDOWS\SYSTEM32\DRIVERS\imagedrv.sys
2008-07-04 07:12 . 2008-07-04 07:12 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-07-04 07:12 . 2008-07-04 07:13 <DIR> d-------- C:\Program Files\Ahead
2008-07-04 07:12 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\SYSTEM32\ImagX7.dll
2008-07-04 07:12 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\SYSTEM32\ImagXpr7.dll
2008-07-04 07:12 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\SYSTEM32\ImagXRA7.dll
2008-07-04 07:12 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\SYSTEM32\ImagXR7.dll
2008-07-04 07:12 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe
2008-07-04 07:12 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\SYSTEM32\TwnLib20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 15:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-08 15:37 --------- d-----w C:\Program Files\Coupons
2006-06-07 17:55 3,753 ----a-w C:\Program Files\html2.htm
2006-06-07 17:55 3,626 ----a-w C:\Program Files\html1.htm
2002-03-07 04:43 67,552 ----a-w C:\Documents and Settings\thadloc\Application Data\GDIPFONTCACHEV1.DAT
1989-12-12 15:10 666,240 --sh--r C:\WINDOWS\njpnaib.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 655,360 2001-09-04 21:31:50 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
----a-w 28,176 2007-10-03 16:13:31 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

----a-w 151,597 2003-10-05 22:16:17 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 28,176 2007-10-03 16:13:31 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 278,528 2006-06-14 21:24:14 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 28,176 2007-10-03 16:13:31 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 241,714 2001-07-25 16:00:00 C:\Program Files\Microsoft Money\System\bak\Activation.exe
----a-w 28,176 2007-10-03 16:13:31 C:\Program Files\Microsoft Money\System\Activation.exe

----a-w 74,832 2001-08-16 23:52:42 C:\Program Files\Norton AntiVirus\bak\navapw32.exe
----a-w 28,176 2007-10-03 16:13:31 C:\Program Files\Norton AntiVirus\navapw32.exe

----a-w 77,824 2006-07-23 09:49:42 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 28,176 2007-10-03 16:13:31 C:\Program Files\QuickTime\qttask.exe

----a-w 3,096,576 2005-12-08 18:55:10 C:\Program Files\Yahoo!\Messenger\bak\ypager.exe
----a-w 28,176 2007-10-03 16:13:31 C:\Program Files\Yahoo!\Messenger\ypager.exe

----a-w 163,840 2001-09-05 19:28:40 C:\WINDOWS\bak\MMKeybd.exe
----a-w 28,176 2007-10-03 16:13:31 C:\WINDOWS\MMKeybd.exe

----a-w 145,408 2002-08-29 10:41:26 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe
----a-w 145,408 2002-08-29 10:41:26 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe

----a-w 13,312 2002-08-29 10:41:22 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 13,312 2002-08-29 10:41:22 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 307,200 2001-08-29 22:17:40 C:\WINDOWS\SYSTEM32\bak\tbctray.exe
----a-w 28,176 2007-10-03 16:13:31 C:\WINDOWS\SYSTEM32\tbctray.exe

----a-w 778,318 2005-06-08 22:32:42 C:\WINDOWS\SYSTEM32\bak\wltray.exe
----a-w 28,176 2007-10-03 16:13:31 C:\WINDOWS\SYSTEM32\wltray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2007-10-03 11:13 28176]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [N/A]
"AIM"="C:\Program Files\AIM95\aim.exe" [2001-07-20 06:10 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="C:\WINDOWS\System32\wltray.exe" [2007-10-03 11:13 28176]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-03 11:13 28176]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-03 11:13 28176]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2007-10-03 11:13 28176]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2007-10-03 11:13 28176]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-10-03 11:13 28176]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2007-10-03 11:13 28176]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-10-03 11:13 28176]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"POINTER"="point32.exe" [N/A]

C:\Documents and Settings\thadloc\Start Menu\Programs\Startup\
Iomega Product Registration.lnk - C:\Program Files\Iomega\Registration\Register.exe [2004-02-12 13:26:03 16175104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Camio Viewer 2000.lnk - C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2001-12-21 20:24:02 49152]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
palstart.exe [2006-05-17 16:51:43 30720]

R0 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys [2001-08-17 14:52]
R3 Msikbd2k;DellTouch;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2000-10-03 16:18]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\System32\drivers\tbcspud.sys [2001-08-29 17:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\System32\drivers\tbcwdm.sys [2001-08-29 17:19]

.
Contents of the 'Scheduled Tasks' folder
"2002-02-12 05:54:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4D5C8C2A-D075-11D0-B416-00C04FB90376} - %SystemRoot%\System32\browseui.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 11:36:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\wltrysvc.exe
C:\WINDOWS\SYSTEM32\bcmwltry.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\SYSTEM32\NMSSVC.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
.
**************************************************************************
.
Completion time: 2008-07-08 12:20:24 - machine was rebooted [thadloc]
ComboFix-quarantined-files.txt 2008-07-08 17:20:20

Pre-Run: 27,241,959,424 bytes free
Post-Run: 27,801,157,632 bytes free

199





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:42 PM, on 7/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://srqrah.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Iomega Product Registration.lnk = C:\Program Files\Iomega\Registration\Register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.adultdvdmarketplace.com
O15 - Trusted Zone: http://www.allmovie.com
O15 - Trusted Zone: http://www.allmusic.com
O15 - Trusted Zone: *.allmusic.com
O15 - Trusted Zone: http://www.collegefootballnews.com
O15 - Trusted Zone: http://www.covers.com
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.foxsports.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125297656687
O16 - DPF: {7A7641DA-05B6-11D4-ACD7-0050DAB78810} (DSIDisplay.DisplayDoc) - http://tpd.ci.toledo.oh.us/CABS/DSIDisplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...317/mcfscan.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8528 bytes

#4 boomstick

boomstick
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 08 July 2008 - 12:16 PM

Oh yeah...part of the reason that I updated my Java in the first place was so I could run a Kaspersky web scan, which I did. So if that is of any use to you (it's from before you started helping me and before ComboFix was run), it's available, and of course I can run another at any time if you need. Whatever you say, sir (or ma'am).

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 08 July 2008 - 02:27 PM

Wow.. Most user just gives logs without any comments but you gave everything in details!.. Thank you so much.. Very much appreciated :thumbsup:


Now lets do the following....



Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://srqrah.t.rack.cc/hp.php (obfuscated)
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O15 - Trusted Zone: *.allmusic.com
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.foxsports.com
O15 - Trusted Zone: *.whataboutadog.com


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\njpnaib.exe
C:\Program Files\html2.htm
C:\Program Files\html1.htm
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe

Folder::
C:\Program Files\Coupons
C:\Program Files\SpyDefender Pro

AWF::
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Microsoft Money\System\bak\Activation.exe
C:\Program Files\Norton AntiVirus\bak\navapw32.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Yahoo!\Messenger\bak\ypager.exe
C:\WINDOWS\bak\MMKeybd.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe
C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
C:\WINDOWS\SYSTEM32\bak\tbctray.exe
C:\WINDOWS\SYSTEM32\bak\wltray.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyDefender Shield"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 boomstick

boomstick
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 08 July 2008 - 05:14 PM

Ah yes! My machine's getting closer and closer to it's old self with each step we take.

I had noticed quite awhile ago that there was no Norton Antivirus icon in the system tray. I didn't think I'd disabled that; I didn't even think it was possible to do so...so I assumed that some of the malware on my machine was blocking it. That appears to have been the case because it is back now, as was the yahoo messenger icon there as well....but the yahoo one was only there after the reboot while ComboFix was running - once ComboFix was done and it made the desktop disappear and then come back again, I don't see that one again. But I'm not too worried about that at the moment....things are definitely getting closer to right again. By the way, ComboFix ran for quite awhile after the reboot - probably 10 minutes after the reboot easily. It ran for longer after the reboot than before it. Obviously it's working during that time, and the stuff that's autostarting while it's trying to work probably slows it down, but I just thought I'd add that bit of info in case it's relevant. Hmmm, the Dell programmable key icon is back in the system tray too - and like the others it's the first time I've seen it in ages. (Btw, if anyone reads this later on, I'm not a total moron...those icons aren't and weren't just off-screen due to the hiding feature (it's turned off) or due to needing to click the arrow to expand the system tray; they just weren't in the tray at all, or at least they were not showing there at all.)



>>Wow.. Most user just gives logs without any comments but you gave everything in details!.. Thank you so much.. Very much appreciated :thumbsup:
You are are more than welcome. I actually thought I might be giving too much info and that it might be a pain for you to go through it all (guess I'm used to people having short attention spans all too often.)

Basically I figure if it were me in your shoes, I'd want all the detail that I could get. I don't necessarily know which details might help you, but I figure if you give you a lot of detail then I may give you some that's useful. Plus it's just in my nature....to me, the details are important.



OK...back to executing your plan: everything went smoothly this time. I remembered to go into Norton Antivirus and disable the anti-scripting function before I started ComboFix....so hopefully that helped. (The first time I ran it earlier it was producing popups about blocking scripts from ComboFix - I was going to click enable on the first one but ComboFix actually made the dialog disappear faster than I could get to it. Then after reboot it popped up another window saying it was blocking another script, and I just let that one go since it seemed to kill the first one. This one did hang the ComboFix process (I let it run forever - like 30 minutes - to be sure) until I made that window go away.)

Another thought: for a long time now (I'm using that phrase too much as it illustrates that I put off going through this process to clean my machine up), there's been a rather disturbing (to me anyway) behavior taking place: everytime I reboot the machine, something starts an IE process (iexplore.exe) and seems to try to communicate or transmit data over the web that way. The process only shows in task manager, there is no visible window for it. It lasts for what feels like a good 10 minutes....it's at least a full five minutes and I would bet more than that....and the networking tab seems to show it trying to pass and/or receive data. Well that part is my interpretation of it and could well be completely wrong (about the passing data), but whatever it's doing it's doing it pretty stealthily and I don't have any rational explanation of it other than malware. That behavior is still there as of now, unfortunately.

And one more bit of info: this one seems to have gotten worse lately and it is doing so currently. Whenever I try to drag something - be it a file across the desktop or a section of text or to resize or move a window, there seems to be something that interrupts that process. It's like something has its hooks so deeply into the operating system that when it constantly interrupts like that it makes the mouse in effect interrupt too. When I held the mouse button down to drag CFScript.txt onto the ComboFix icon, I had to do it like 3 or 4 times because I'd only make it part of the way each time. This behavior seems to come and go....but it's been particularly bad today it seems (and worse lately without question than it was before.) That's another behavior that makes me really nervous....but each scan of ComboFix seems to bring out more normalcy in the machine, so hopefully one of these scans (or another fix of some sort) will take care of that.

Thanks again for your help, fenzodahl512.


ComboFix 08-07-05.1 - thadloc 2008-07-08 16:56:23.2 - NTFSx86
Running from: C:\Documents and Settings\thadloc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\thadloc\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\html1.htm
C:\Program Files\html2.htm
C:\WINDOWS\njpnaib.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Coupons
C:\Program Files\Coupons\uninstall.exe
C:\Program Files\html1.htm
C:\Program Files\html2.htm
C:\WINDOWS\njpnaib.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-07 10:59 . 2008-07-07 10:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-07 10:59 . 2008-07-07 10:59 <DIR> d-------- C:\Documents and Settings\thadloc\Application Data\Malwarebytes
2008-07-07 10:59 . 2008-07-07 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-07 10:59 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-07 10:59 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-06 00:12 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-06 00:11 . 2008-07-06 00:12 <DIR> d-------- C:\Program Files\Java
2008-07-06 00:11 . 2008-07-06 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-05 22:32 . 2008-07-05 22:32 <DIR> d-------- C:\WINDOWS\Sun
2008-07-05 20:53 . 2008-07-08 15:30 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-05 08:21 . 2008-07-05 08:21 <DIR> d-------- C:\Deckard
2008-07-05 07:59 . 2008-07-08 09:20 4,195,989 --a------ C:\WINDOWS\pfirewall.log.old
2008-07-04 07:15 . 2008-07-04 07:15 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-04 07:13 . 2004-03-02 16:37 125,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\imagesrv.sys
2008-07-04 07:13 . 2004-03-02 16:37 5,504 --------- C:\WINDOWS\SYSTEM32\DRIVERS\imagedrv.sys
2008-07-04 07:12 . 2008-07-04 07:12 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-07-04 07:12 . 2008-07-04 07:13 <DIR> d-------- C:\Program Files\Ahead
2008-07-04 07:12 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\SYSTEM32\ImagX7.dll
2008-07-04 07:12 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\SYSTEM32\ImagXpr7.dll
2008-07-04 07:12 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\SYSTEM32\ImagXRA7.dll
2008-07-04 07:12 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\SYSTEM32\ImagXR7.dll
2008-07-04 07:12 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe
2008-07-04 07:12 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\SYSTEM32\TwnLib20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 22:01 --------- d-----w C:\Program Files\QuickTime
2008-07-08 22:01 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-08 22:01 --------- d-----w C:\Program Files\iTunes
2008-07-08 15:49 --------- d-----w C:\Program Files\Common Files\Adobe
2002-03-07 04:43 67,552 ----a-w C:\Documents and Settings\thadloc\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-07-08_11.44.47.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-08 16:36:18 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-07-08 22:01:22 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2007-10-03 16:13:31 28,176 ----a-w C:\WINDOWS\MMKeybd.exe
+ 2001-09-05 19:28:40 163,840 ----a-w C:\WINDOWS\MMKeybd.exe
- 2007-10-03 16:13:31 28,176 ----a-w C:\WINDOWS\SYSTEM32\tbctray.exe
+ 2001-08-29 22:17:40 307,200 ----a-w C:\WINDOWS\SYSTEM32\tbctray.exe
- 2007-10-03 16:13:31 28,176 ----a-w C:\WINDOWS\SYSTEM32\wltray.exe
+ 2005-06-08 22:32:42 778,318 ----a-w C:\WINDOWS\SYSTEM32\wltray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 13:55 3096576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="C:\WINDOWS\System32\wltray.exe" [2005-06-08 17:32 778318]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-05 17:16 151597]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-08-16 18:52 74832]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 11:00 241714]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2001-09-05 14:28 163840]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 16:31 655360]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

C:\Documents and Settings\thadloc\Start Menu\Programs\Startup\
Iomega Product Registration.lnk - C:\Program Files\Iomega\Registration\Register.exe [2004-02-12 13:26:03 16175104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Camio Viewer 2000.lnk - C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2001-12-21 20:24:02 49152]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

R0 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys [2001-08-17 14:52]
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2001-08-06 14:41]
R3 Msikbd2k;DellTouch;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2000-10-03 16:18]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\System32\drivers\tbcspud.sys [2001-08-29 17:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\System32\drivers\tbcwdm.sys [2001-08-29 17:19]

*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
"2002-02-12 05:54:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\bak\qttask.exe
HKLM-Run-POINTER - point32.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 17:01:43
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\wltrysvc.exe
C:\WINDOWS\SYSTEM32\bcmwltry.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\SYSTEM32\NMSSVC.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-08 17:10:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-08 22:10:30
ComboFix2.txt 2008-07-08 17:20:25

Pre-Run: 27,755,716,608 bytes free
Post-Run: 27,744,010,240 bytes free

135



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:43 PM, on 7/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wltray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Iomega Product Registration.lnk = C:\Program Files\Iomega\Registration\Register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125297656687
O16 - DPF: {7A7641DA-05B6-11D4-ACD7-0050DAB78810} (DSIDisplay.DisplayDoc) - http://tpd.ci.toledo.oh.us/CABS/DSIDisplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...317/mcfscan.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7926 bytes

Edit: a couple spelling mistakes and I clipped the end of the text somehow.

Edited by boomstick, 08 July 2008 - 05:24 PM.


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 08 July 2008 - 10:56 PM

Erm.. Your logs look very good actually.. Nothing seems to be malicious.. Lets do this..


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Then please include me a fresh Deckard System Scanner log in your next reply..

Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 boomstick

boomstick
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 09 July 2008 - 02:33 PM

I lied. Not intentionally, but in effect at least. I would have sworn that I still saw the background iexplore.exe process on the last reboot after the second ComboFix run, but apparently I was wrong (I was really tired so that might explain it, because I wouldn't normally make a mistake like that.) When I turned the machine on today, I looked for that behavior, and to my surprise, it wasn't there. I rebooted again to verify this and it is indeed gone. It did it every time before, and it's gone now...so props to ComboFix and to your help fenzodahl512.

I thought I'd go ahead with your advice anyway and see if it turned anything up. I did and I'll post the logs of course, but all MBAM really found was 3 registry entries, which I would guess were just leftovers. It had 22 other hits, all files, but they were all either from the system restore point, in quarantine already by ComboFix or the backup of a fix by HijackThis from December. (I've used HJT on my own for some minor, or at least obvious, things in the past.)

Even so, I told MBAM to remove everything and it did so with no problems.

I still have a bit of the mouse problem - less than before (which is kind of interesting), but it still does it....it shows up mostly in when I try to drag things and it will just randomly drop them in mid-drag. It used to be so bad at times that it was almost impossible to drag anything (and it would also often take a single click and interpret it as two quick clicks in a row - so you'd close a window or something and it would also take a second click onto whatever was beneath that window.) Now it's much closer to normal - I haven't noticed the single click being processed as a double click (in effect.) And I tested dragging a window around the screen: it still will drop it occasionally (like it's somehow interrupted almost) but it's much better at this point.

It also shows up when I try to select a few words or a few lines of text in order to move them around: I'll be dragging to select the text and it will just randomly stop the current selection and start over from the point where it stopped again (again like it was interrupted part way through the selection process)....if that makes any sense. Like if I were trying to drag upward to select say 25 lines of text it might get interrupted (it seems) and sort of drop the selection box after say 10 lines, and restart it there....so that I end up selecting from that point to the top instead of the whole way as I intended (in that example I'd have the top 15 lines selected instead of the full 25 if I didn't stop and start over.) And this while all the while the mouse button is being held down. It's really annoying.

If the machine is clean now, and I think that's what you're about to tell me....then would you have any ideas on that issue by any chance? If not, no worries....having my machine clean finally (not in how long this took but in how long I unwisely put off doing it) is wonderful, and I can research this one on my own. I've never had to uninstall and reinstall that type of software before if it's even possible (there must be a mouse driver I guess)...maybe that would do it. Maybe some of the malware had it's hooks in there somehow...that seems like a bit of a stretch but something was/is causing that behavior.



Malwarebytes' Anti-Malware 1.20
Database version: 934
Windows 5.1.2600 Service Pack 1

12:54:44 PM 7/9/2008
mbam-log-7-9-2008 (12-54-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 143066
Time elapsed: 59 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{b0e43034-50f5-1f84-8098-824b44f2dbc3} (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00000010-6f7d-442c-93e3-4a4827c2e4c8} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SWD123 (Rogue.SpyDefender) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Deckard\System Scanner\backup\DOCUME~1\thadloc\LOCALS~1\Temp\GLF6GLF6.EXE (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\thadloc\LOCALS~1\Temp\GLF9GLF9.EXE (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\download\HijackThis 1.97.7\hijackthis\backup-20071215-033418-122.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1194675239.old.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1195288449.old.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1195970198.old.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\dGhhZGxvYw\asappsrv.dll.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\dGhhZGxvYw\command.exe.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tsuninst.exe.vir (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000369.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000370.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000371.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000372.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000373.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000381.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000398.old (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000399.old (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000400.old (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000404.exe (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000413.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000414.dll (AdWare.CommAd) -> Quarantined and deleted successfully.




Deckard's System Scanner v20071014.68
Run by thadloc on 2008-07-09 13:01:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as thadloc.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:27 PM, on 7/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wltray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\thadloc\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\thadloc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Iomega Product Registration.lnk = C:\Program Files\Iomega\Registration\Register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125297656687
O16 - DPF: {7A7641DA-05B6-11D4-ACD7-0050DAB78810} (DSIDisplay.DisplayDoc) - http://tpd.ci.toledo.oh.us/CABS/DSIDisplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...317/mcfscan.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7751 bytes

-- Files created between 2008-06-09 and 2008-07-09 -----------------------------

2008-07-07 11:10:55 0 d-------- C:\cmdcons
2008-07-07 11:09:09 68096 --a------ C:\WINDOWS\zip.exe
2008-07-07 11:09:09 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-07 11:09:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-07 11:09:09 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-07 11:09:09 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-07 11:09:09 98816 --a------ C:\WINDOWS\sed.exe
2008-07-07 11:09:09 80412 --a------ C:\WINDOWS\grep.exe
2008-07-07 11:09:09 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-07 10:59:34 0 d-------- C:\Documents and Settings\thadloc\Application Data\Malwarebytes
2008-07-07 10:59:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-07 10:59:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-06 00:11:08 0 d-------- C:\Program Files\Java
2008-07-06 00:11:04 0 d-------- C:\Program Files\Common Files\Java
2008-07-05 22:32:29 0 d-------- C:\WINDOWS\Sun
2008-07-05 12:26:04 0 d-------- C:\Documents and Settings\thadloc\Application Data\Sun
2008-07-04 07:15:50 0 d-------- C:\Program Files\Common Files\Nero
2008-07-04 07:12:59 106496 --a------ C:\WINDOWS\System32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-07-04 07:12:55 471040 -----n--- C:\WINDOWS\System32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-07-04 07:12:55 262144 -----n--- C:\WINDOWS\System32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-07-04 07:12:55 1568768 -----n--- C:\WINDOWS\System32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-07-04 07:12:53 155648 --a------ C:\WINDOWS\System32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-07-04 07:12:48 0 d-------- C:\Program Files\Common Files\Ahead
2008-07-04 07:12:46 0 d-------- C:\Program Files\Ahead


-- Find3M Report ---------------------------------------------------------------

2008-07-08 17:01:38 0 d-------- C:\Program Files\QuickTime
2008-07-08 17:01:38 0 d-------- C:\Program Files\Norton AntiVirus
2008-07-08 17:01:38 0 d-------- C:\Program Files\iTunes
2008-07-08 10:58:44 0 d-------- C:\Program Files\Common Files
2008-07-08 10:49:24 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-07 09:49:07 15 --a------ C:\WINDOWS\E58C-4D46-3725-A1AF.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="C:\WINDOWS\System32\wltray.exe" [06/08/2005 05:32 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/05/2003 05:16 PM]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [08/16/2001 06:52 PM]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [07/25/2001 11:00 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/2006 04:24 PM]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [09/05/2001 02:28 PM]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [09/04/2001 04:31 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [12/08/2005 01:55 PM]

C:\Documents and Settings\thadloc\Start Menu\Programs\Startup\
DESKTOP.INI [9/20/2001 12:17:38 PM]
Iomega Product Registration.lnk - C:\Program Files\Iomega\Registration\Register.exe [2/12/2004 1:26:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Camio Viewer 2000.lnk - C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe [12/21/2001 8:24:02 PM]
DESKTOP.INI [9/20/2001 12:17:38 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - NMSCFG



-- End of Deckard's System Scanner: finished at 2008-07-09 13:01:53 ------------

Edited by boomstick, 09 July 2008 - 02:35 PM.


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 10 July 2008 - 11:42 AM

Your log looks clean to my eyes.. But let do another scan just to make sure...


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 boomstick

boomstick
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 12 July 2008 - 05:06 AM

To my untrained eye, it looks like the log contains a lot of hits from items quarantined by various scanners/tools, a number of locked objects, and a few more things that probably need to be removed or cleaned.

A number of the hits are for older backups of Microsoft Outlook .pst files that I'd like to keep. I'm assuming that there must be a way to repair a message within a .pst file without having to completely remove the .pst file altogether. That would be ideal.

Here's the log...


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 12, 2008 6:16:43 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/07/2008
Kaspersky Anti-Virus database records: 936980
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 114342
Number of viruses found: 20
Number of infected objects: 87
Number of suspicious objects: 0
Duration of the scan process: 02:19:02

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\A8D83.tmp/cvn0.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\A8D83.tmp/wfxqhv.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\A8D83.tmp/zqskw.exe Infected: Trojan.Win32.Runner.j skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\A8D83.tmp CAB: infected - 3 skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\gndj.dll Infected: Trojan-Clicker.Win32.Small.f skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\i89.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\mslkaj.dll Infected: Trojan-Clicker.Win32.Small.f skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\r1197926763.exe/data0000/file3 Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\r1197926763.exe/data0000 Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\r1197926763.exe EmbeddedEXE: infected - 2 skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\r1197926763.exe UPX: infected - 2 skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\winjlml.dll Infected: Trojan-Clicker.Win32.Small.f skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\winkigb.dll Infected: Trojan-Clicker.Win32.Small.f skipped
C:\Deckard\System Scanner\20080709130120\backup\DOCUME~1\thadloc\LOCALS~1\Temp\winmgng.dll Infected: Trojan-Clicker.Win32.Small.f skipped
C:\Deckard\System Scanner\20080709130120\backup\WINDOWS\Downloaded Program Files\HDPlugin1015.dll Infected: not-a-virus:AdWare.Win32.Gator.1015 skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\thadloc\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\thadloc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\thadloc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\thadloc\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\thadloc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\thadloc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\thadloc\ntuser.dat.LOG Object is locked skipped
C:\download\HijackThis 1.97.7\hijackthis\backup-20040126-043935-244.dll Infected: Trojan-Clicker.Win32.Small.f skipped
C:\download\HijackThis 1.97.7\hijackthis\backup-20060729-150215-721.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Program Files\Norton AntiVirus\Quarantine\056B1315.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\056C2ACA.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\158962E9.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\26704A30.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\41816ABE.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\48196F6A.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\485A3722.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\48952AE2.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\48CD74A4.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\48FA4072.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\5996696E.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\75720962.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\QooBox\Quarantine\C\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Real\Update_OB\realsched.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\Program Files\html1.htm.vir Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\QooBox\Quarantine\C\Program Files\html2.htm.vir Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\QooBox\Quarantine\C\Program Files\Internet Optimizer\optimize.exe.vir Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\QooBox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft Money\System\Activation.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\Program Files\Norton AntiVirus\navapw32.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\Program Files\Yahoo!\Messenger\ypager.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\WINDOWS\MMKeybd.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\WINDOWS\njpnaib.exe.vir Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\QooBox\Quarantine\C\WINDOWS\njpnaibA.exe.vir Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\QooBox\Quarantine\C\WINDOWS\offun.exe.vir Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSC00.exe.vir Infected: Trojan.Win32.VB.tg skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tbctray.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wltray.exe.vir Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\WINDOWS\unin101.exe.vir Infected: Trojan.Win32.VB.tg skipped
C:\QooBox\Quarantine\C\WINDOWS\uni_eh.exe.vir Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP10\A0001586.exe Infected: not-a-virus:Dialer.Win32.Small.gen skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP10\A0001587.exe Infected: not-a-virus:Dialer.Win32.Small.gen skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000365.exe Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000380.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000405.exe Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000406.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000407.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000408.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000412.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP6\A0000433.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001438.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001439.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001440.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001441.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001442.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001443.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001444.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001445.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001448.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001449.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP8\A0001455.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\VSL.dl_ Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\113553.exe Infected: not-a-virus:Porn-Downloader.Win32.TibSystems skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DGcodec.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\SYSTEM32\dn2o01f3e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\msfind.exe Infected: not-a-virus:PSWTool.Win32.PassView.151 skipped
C:\WINDOWS\SYSTEM32\PPFLBMSG.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\SYSTEM32\SVNSCFG.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\~Todd\work mail backups\5-12-06\thadloc.pst/Personal Folders/Softball 2002/Softball/18 May 1999 13:07 from Benschoter, Rusty:GAME #1/1999SOFT.XLS Infected: Virus.MSExcel.Compat skipped
C:\~Todd\work mail backups\5-12-06\thadloc.pst MailMSMaill: infected - 1 skipped
C:\~Todd\work mail backups\5-14-07\thadloc.pst/Personal Folders/Softball 2002/Softball/18 May 1999 13:07 from Benschoter, Rusty:GAME #1/1999SOFT.XLS Infected: Virus.MSExcel.Compat skipped
C:\~Todd\work mail backups\5-14-07\thadloc.pst MailMSMaill: infected - 1 skipped
C:\~Todd\work mail backups\backup.pst/old Personal Folders/Inbox/18 May 1999 13:07 from Benschoter, Rusty:GAME #1/1999SOFT.XLS Infected: Virus.MSExcel.Compat skipped
C:\~Todd\work mail backups\backup.pst MailMSMaill: infected - 1 skipped
C:\~Todd\work mail backups\personal folders\personal_folders.zip/thadloc.pst/Personal Folders/Softball/18 May 1999 13:07 from Benschoter, Rusty:GAME #1/1999SOFT.XLS Infected: Virus.MSExcel.Compat skipped
C:\~Todd\work mail backups\personal folders\personal_folders.zip/thadloc.pst Infected: Virus.MSExcel.Compat skipped
C:\~Todd\work mail backups\personal folders\personal_folders.zip ZIP: infected - 2 skipped
C:\~Todd\work mail backups\thadloc.pst/Personal Folders/Softball 2002/Softball/18 May 1999 13:07 from Benschoter, Rusty:GAME #1/1999SOFT.XLS Infected: Virus.MSExcel.Compat skipped
C:\~Todd\work mail backups\thadloc.pst MailMSMaill: infected - 1 skipped

Scan process completed.

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 12 July 2008 - 09:03 AM

1. Please empty your Norton Quarantine folder.. Please navigate C:\Program Files\Norton AntiVirus\Quarantine folder and delete everything inside.. Please do not delete the folder.. Just leave it empty..



NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\download\HijackThis 1.97.7\hijackthis\backup-20040126-043935-244.dll
C:\download\HijackThis 1.97.7\hijackthis\backup-20060729-150215-721.dll
C:\VSL.dl_
C:\WINDOWS\SYSTEM32\113553.exe
C:\WINDOWS\SYSTEM32\DGcodec.dll
C:\WINDOWS\SYSTEM32\dn2o01f3e.dll
C:\WINDOWS\SYSTEM32\msfind.exe
C:\WINDOWS\SYSTEM32\PPFLBMSG.DLL
C:\WINDOWS\SYSTEM32\SVNSCFG.DLL
C:\~Todd\work mail backups\personal folders\personal_folders.zip

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 boomstick

boomstick
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 July 2008 - 01:57 PM

I doubt this is really even worth mentioning, but in the quarantine folder, I deleted everything except two folders called "Incoming" and "Portal". They were both empty and I thought maybe they were supposed to be there. All files in the quarantine folder are now gone.

When I ran ComboFix this time, it did not do a reboot as it has the other times (due I would assume to making less serious changes that didn't need to be continued after a boot)....but when it finished, it took absolutely forever and then finally popped up the log in notepad...only that was all it popped up. It didn't put the desktop back up (including the clock or the taskbar or anything, just the notepad window. There's a happy ending though: it let me pull up a task manager window through CTRL-ALT-DELETE and then from there I rebooted...and the desktop was back to normal as soon as I did that. So all is fine I think but I thought I'd mention it just in case someone else you work with has that problem in the future.

And by the way....thanks for all your help, fenzodahl512.



ComboFix 08-07-05.1 - thadloc 2008-07-13 9:18:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.84 [GMT -5:00]Running from: C:\Documents and Settings\thadloc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\thadloc\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\~Todd\work mail backups\personal folders\personal_folders.zip
C:\download\HijackThis 1.97.7\hijackthis\backup-20040126-043935-244.dll
C:\download\HijackThis 1.97.7\hijackthis\backup-20060729-150215-721.dll
C:\VSL.dl_
C:\WINDOWS\SYSTEM32\113553.exe
C:\WINDOWS\SYSTEM32\DGcodec.dll
C:\WINDOWS\SYSTEM32\dn2o01f3e.dll
C:\WINDOWS\SYSTEM32\msfind.exe
C:\WINDOWS\SYSTEM32\PPFLBMSG.DLL
C:\WINDOWS\SYSTEM32\SVNSCFG.DLL
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~Todd\work mail backups\personal folders\personal_folders.zip
C:\download\HijackThis 1.97.7\hijackthis\backup-20040126-043935-244.dll
C:\download\HijackThis 1.97.7\hijackthis\backup-20060729-150215-721.dll
C:\VSL.dl_
C:\WINDOWS\SYSTEM32\113553.exe
C:\WINDOWS\SYSTEM32\DGcodec.dll
C:\WINDOWS\SYSTEM32\dn2o01f3e.dll
C:\WINDOWS\SYSTEM32\msfind.exe
C:\WINDOWS\SYSTEM32\PPFLBMSG.DLL
C:\WINDOWS\SYSTEM32\SVNSCFG.DLL

.
((((((((((((((((((((((((( Files Created from 2008-06-13 to 2008-07-13 )))))))))))))))))))))))))))))))
.

2008-07-07 10:59 . 2008-07-09 11:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-07 10:59 . 2008-07-07 10:59 <DIR> d-------- C:\Documents and Settings\thadloc\Application Data\Malwarebytes
2008-07-07 10:59 . 2008-07-07 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-07 10:59 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-07 10:59 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-06 00:12 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-06 00:11 . 2008-07-06 00:12 <DIR> d-------- C:\Program Files\Java
2008-07-06 00:11 . 2008-07-06 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-05 22:32 . 2008-07-05 22:32 <DIR> d-------- C:\WINDOWS\Sun
2008-07-05 20:53 . 2008-07-08 15:30 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-05 08:21 . 2008-07-05 08:21 <DIR> d-------- C:\Deckard
2008-07-05 07:59 . 2008-07-13 00:09 4,194,388 --a------ C:\WINDOWS\pfirewall.log.old
2008-07-04 07:15 . 2008-07-04 07:15 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-04 07:13 . 2004-03-02 16:37 125,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\imagesrv.sys
2008-07-04 07:13 . 2004-03-02 16:37 5,504 --------- C:\WINDOWS\SYSTEM32\DRIVERS\imagedrv.sys
2008-07-04 07:12 . 2008-07-04 07:12 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-07-04 07:12 . 2008-07-04 07:13 <DIR> d-------- C:\Program Files\Ahead
2008-07-04 07:12 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\SYSTEM32\ImagX7.dll
2008-07-04 07:12 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\SYSTEM32\ImagXpr7.dll
2008-07-04 07:12 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\SYSTEM32\ImagXRA7.dll
2008-07-04 07:12 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\SYSTEM32\ImagXR7.dll
2008-07-04 07:12 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe
2008-07-04 07:12 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\SYSTEM32\TwnLib20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 07:13 --------- d-----w C:\Program Files\UltimateBet
2008-07-08 22:01 --------- d-----w C:\Program Files\QuickTime
2008-07-08 22:01 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-08 22:01 --------- d-----w C:\Program Files\iTunes
2008-07-08 15:49 --------- d-----w C:\Program Files\Common Files\Adobe
2002-03-07 04:43 67,552 ----a-w C:\Documents and Settings\thadloc\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-07-08_11.44.47.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-08 16:36:18 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-07-09 15:47:29 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2007-10-03 16:13:31 28,176 ----a-w C:\WINDOWS\MMKeybd.exe
+ 2001-09-05 19:28:40 163,840 ----a-w C:\WINDOWS\MMKeybd.exe
- 2007-10-03 16:13:31 28,176 ----a-w C:\WINDOWS\SYSTEM32\tbctray.exe
+ 2001-08-29 22:17:40 307,200 ----a-w C:\WINDOWS\SYSTEM32\tbctray.exe
- 2007-10-03 16:13:31 28,176 ----a-w C:\WINDOWS\SYSTEM32\wltray.exe
+ 2005-06-08 22:32:42 778,318 ----a-w C:\WINDOWS\SYSTEM32\wltray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 13:55 3096576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="C:\WINDOWS\System32\wltray.exe" [2005-06-08 17:32 778318]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-05 17:16 151597]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-08-16 18:52 74832]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 11:00 241714]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2001-09-05 14:28 163840]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 16:31 655360]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

C:\Documents and Settings\thadloc\Start Menu\Programs\Startup\
Iomega Product Registration.lnk - C:\Program Files\Iomega\Registration\Register.exe [2004-02-12 13:26:03 16175104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Camio Viewer 2000.lnk - C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2001-12-21 20:24:02 49152]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

R0 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys [2001-08-17 14:52]
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2001-08-06 14:41]
R3 Msikbd2k;DellTouch;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2000-10-03 16:18]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\System32\drivers\tbcspud.sys [2001-08-29 17:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\System32\drivers\tbcwdm.sys [2001-08-29 17:19]

*Newly Created Service* - CATCHME
*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
"2002-02-12 05:54:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 09:24:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-07-13 9:32:21
ComboFix-quarantined-files.txt 2008-07-13 14:32:17
ComboFix2.txt 2008-07-08 22:10:37
ComboFix3.txt 2008-07-08 17:20:25

Pre-Run: 27,367,161,856 bytes free
Post-Run: 27,447,922,688 bytes free

128



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:25 PM, on 7/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wltray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Iomega Product Registration.lnk = C:\Program Files\Iomega\Registration\Register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125297656687
O16 - DPF: {7A7641DA-05B6-11D4-ACD7-0050DAB78810} (DSIDisplay.DisplayDoc) - http://tpd.ci.toledo.oh.us/CABS/DSIDisplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...317/mcfscan.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7763 bytes

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 14 July 2008 - 11:17 AM

Good news.. Your log looks clean to my eyes..


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image



NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 7



NEXT


I noticed you already have..

1. Norton Antivirus as your antivirus
2. Malwarebytes' Anti-Malware as your antispyware..



However, I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewal below:
  • Comodo Firewall Pro
  • PC Tools Firewall Plus
    After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.





    Lastly, to keep your operating system up to date please visit the link below monthly
    [list]
  • Microsoft Windows Update
To learn more about how to protect yourself while on the internet read this excellent article by Grinler: How did I get infected?, With steps so it does not happen again!

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users