Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Problems


  • This topic is locked This topic is locked
12 replies to this topic

#1 Stephen H

Stephen H

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 13 July 2008 - 11:47 AM

Hello, and thanks in advance for helping me out.

My problems are internet related. Here are the following things that are going on:

1) Cannot update programs like Avast or AVG.

2) Cannot visit certain websites dealing with spyware problems. I am typing this on a different computer. When I try to go to bleepingcomputer.com on my infested one, all I get is a google search page with several results. I had to download the new version of hijack this on another computer and then transfer it over because my computer wouldn't open the link.

3) When using a search engine, I cannot click on a link without being redirected. Before the new pages comes up, I see a temp url. They all seem to start with http://asiuoqgusdbaksd.com/go.php? I can copy/paste the link and be ok most times.

4) Wikipedia is off limits to me. I get redirected to wistascanner page.

5) Notepad has quit. Data execution prevention shuts it down when I try to open a file. I can still open those type of files with wordpad. Notepad does work in safe mode though.

That's all I can think of right now. It's downright frustrating. Below is my hijackthis log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:53 AM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Downloaded Programs\logmein\x86\RaMaint.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Downloaded Programs\itunes\iTunes.exe
C:\Downloaded Programs\Trillian\Trillian\trillian.exe
C:\Program Files\Microsoft Hardware\Keyboard\Type32.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Stephen\Desktop\Spyware stuff\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Downloaded Programs\logmein\x86\RaMaint.exe

--
End of file - 3933 bytes

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:43 PM

Posted 13 July 2008 - 07:19 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Try this to see if it restores your ability to visit this site.

Click Start > Run and type these commands hitting enter after each one:

sc stop clbdriver

sc delete clbdriver



Then locate and delete this files, if found:

C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys




Let me know if that restores your connectivity.
Otherwise you will need to download the tools we need from another computer and transfer them over.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 14 July 2008 - 07:08 AM

Sam,

Thanks for taking on my case.

I ran the two commands. I did not find any trace of those 3 files.

I still cannot connect to this website. IE is still telling it can't display the page.

Sincerely,

Stephen

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:43 PM

Posted 14 July 2008 - 10:17 AM

Ok, you will need to download this file and transfer it over to the infected computer.
If it won't run for you, rename combofix.exe to cf.exe and run it.

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 14 July 2008 - 11:10 AM

We're back in business!! I'm posting this from my own computer, and I could open the .txt file with notepad. So far everything seems good. Here is the combofix log



ComboFix 08-07-13.12 - Stephen 2008-07-14 10:53:22.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1486 [GMT -5:00]
Running from: C:\Documents and Settings\Stephen\Desktop\cf.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dayrdoic.ini
C:\WINDOWS\system32\dnnxuvyj.ini
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\fwghxpob.ini
C:\WINDOWS\system32\hkykuwky.ini
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mssirmvo.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\soobmoyf.ini
C:\WINDOWS\system32\wcdfenpu.ini
C:\WINDOWS\system32\ykyuavjg.ini
C:\WINDOWS\system32\ylqmbjkf.ini
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winhelp.ini
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-12 21:55 . 2008-07-12 21:56 4,566 --a------ C:\WINDOWS\imsins.BAK
2008-07-12 16:06 . 2008-07-12 16:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-12 15:41 . 2008-07-12 15:41 <DIR> d-------- C:\Program Files\CCleaner
2008-07-10 08:04 . 2008-07-12 15:36 <DIR> d-------- C:\Program Files\Mult Choice
2008-07-09 12:47 . 2008-07-12 21:14 <DIR> d-------- C:\fixwareout
2008-07-04 17:55 . 2008-07-11 22:53 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-06-26 16:35 . 2008-06-26 16:35 <DIR> d-------- C:\Program Files\Black Isle
2008-06-22 15:44 . 2008-06-22 15:44 <DIR> d-------- C:\Program Files\SpyCatcher
2008-06-22 15:44 . 2007-05-07 11:39 1,103,944 --a-s---- C:\WINDOWS\system32\Protector.dll
2008-06-22 15:44 . 2007-05-07 11:39 169,544 --a-s---- C:\WINDOWS\system32\SecuLoad.dll
2008-06-22 15:44 . 2007-05-07 11:42 40,960 --a-s---- C:\WINDOWS\system32\ProcessKiller.dll
2008-06-20 12:41 . 2008-06-20 12:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 05:44 . 2008-06-20 05:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-17 08:11 . 2008-06-18 19:16 <DIR> d-------- C:\Program Files\SpyZooka
2008-06-17 08:10 . 2008-06-17 08:10 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-16 07:53 . 2008-06-16 07:54 <DIR> d-------- C:\Documents and Settings\Stephen2
2008-06-14 21:16 . 2008-06-14 21:16 <DIR> d-------- C:\WINDOWS\system32\netrax06
2008-06-14 21:16 . 2008-06-16 09:34 <DIR> d-------- C:\Temp
2008-06-14 21:16 . 2003-03-31 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-13 17:52 --------- d-----w C:\Documents and Settings\Stephen\Application Data\AVG7
2008-07-13 16:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 16:03 --------- d-----w C:\Documents and Settings\Stephen\Application Data\My Games
2008-07-09 16:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 14:07 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-16 16:06 --------- d-----w C:\Program Files\Java
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-09-22 04:07 19,384 -c--a-w C:\Documents and Settings\Stephen\Application Data\GDIPFONTCACHEV1.DAT
2006-03-22 04:47 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-10-16 12:05 103864]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 18:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 06:21 219136]

C:\Documents and Settings\Stephen\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2008-06-22 15:44:34 86133]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2008-06-22 15:44:34 91576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Stephen\\Desktop\\magic\\Magic\\Manalink.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\games\\bg2\\BGMain.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Downloaded Programs\\itunes\\iTunes.exe"=
"C:\\Downloaded Programs\\Filezilla\\FileZilla.exe"=
"C:\\games\\Magic\\Magic\\Manalink.exe"=
"C:\\Downloaded Programs\\Trillian\\Trillian\\trillian.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Downloaded Programs\logmein\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R3 ip100xp;IC Plus IP100 10/100 Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2005-02-02 03:33]
S3 CrystalCpuInfo;CrystalCpuInfo;C:\Program Files\OCCT\CpuInfo.sys []
S3 gAGP440p;gAGP440p;C:\DOCUME~1\Stephen\LOCALS~1\Temp\gAGP440p.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8106a23-be5d-11dc-a0ec-00508d7f88cb}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 11:00:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Downloaded Programs\logmein\x86\ramaint.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-14 11:05:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 16:05:08

Pre-Run: 89,411,833,856 bytes free
Post-Run: 89,556,566,016 bytes free

185 --- E O F --- 2008-07-13 16:26:39

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:43 PM

Posted 14 July 2008 - 02:27 PM

Good first step, but we have a little more to do still.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new DSS log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 15 July 2008 - 07:41 AM

Here is the next step


SDFix: Version 1.205
Run by Stephen on Tue 07/15/2008 at 07:23 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found




Folder C:\WINDOWS\system32\netrax06 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 07:31:48
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Stephen\\Desktop\\magic\\Magic\\Manalink.exe"="C:\\Documents and Settings\\Stephen\\Desktop\\magic\\Magic\\Manalink.exe:*:Disabled:manalink"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\games\\bg2\\BGMain.exe"="C:\\games\\bg2\\BGMain.exe:*:Disabled:Baldur's Gate II - Shadows of Amn"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper"
"C:\\Downloaded Programs\\itunes\\iTunes.exe"="C:\\Downloaded Programs\\itunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Downloaded Programs\\Filezilla\\FileZilla.exe"="C:\\Downloaded Programs\\Filezilla\\FileZilla.exe:*:Enabled:FileZilla"
"C:\\games\\Magic\\Magic\\Manalink.exe"="C:\\games\\Magic\\Magic\\Manalink.exe:*:Disabled:manalink"
"C:\\Downloaded Programs\\Trillian\\Trillian\\trillian.exe"="C:\\Downloaded Programs\\Trillian\\Trillian\\trillian.exe:*:Enabled:Trillian"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :



Files with Hidden Attributes :


Finished!

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:43 PM

Posted 15 July 2008 - 11:00 AM

Please post a new DSS log.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 15 July 2008 - 07:17 PM

Sam,

What is a DSS log? I tried looking in the glossary but to no avail. The computer still runs well. The problems I posted about all seem to be gone. The changes came after I ran combofix. I have no noticed no changes (good or bad) since running SDfix.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:43 PM

Posted 16 July 2008 - 07:58 AM

Oops, my bad.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 17 July 2008 - 10:07 AM

Deckard's System Scanner v20071014.68
Run by Stephen on 2008-07-17 10:05:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-07-17 15:05:09 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-07-16 17:31:46 UTC - RP4 - System Checkpoint
3: 2008-07-15 16:44:44 UTC - RP3 - System Checkpoint
2: 2008-07-14 15:52:46 UTC - RP2 - ComboFix created restore point
1: 2008-07-14 15:52:04 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Stephen.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:53 AM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Downloaded Programs\logmein\x86\RaMaint.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Downloaded Programs\itunes\iTunes.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloaded Programs\Trillian\Trillian\trillian.exe
C:\Downloaded Programs\adobe\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Stephen\Desktop\dss.exe
C:\DOCUME~1\Stephen\Desktop\SPYWAR~1\Stephen.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\downloaded programs\quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Downloaded Programs\logmein\x86\RaMaint.exe

--
End of file - 4045 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R3 catchme - c:\docume~1\stephen\locals~1\temp\catchme.sys (file missing)

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 CrystalCpuInfo - c:\program files\occt\cpuinfo.sys (file missing)
S3 gAGP440p - c:\docume~1\stephen\locals~1\temp\gagp440p.sys (file missing)
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-15 07:21:28 0 d-------- C:\WINDOWS\ERUNT
2008-07-14 10:51:49 68096 --a------ C:\WINDOWS\zip.exe
2008-07-14 10:51:49 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-14 10:51:49 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-14 10:51:49 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-14 10:51:49 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-14 10:51:49 98816 --a------ C:\WINDOWS\sed.exe
2008-07-14 10:51:49 80412 --a------ C:\WINDOWS\grep.exe
2008-07-14 10:51:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-12 21:07:01 0 dr-h----- C:\Documents and Settings\Stephen\Recent
2008-07-12 16:06:21 0 d-------- C:\Program Files\Alwil Software
2008-07-12 15:41:28 0 d-------- C:\Program Files\CCleaner
2008-07-10 08:04:15 0 d-------- C:\Program Files\Mult Choice
2008-06-26 16:35:20 0 d-------- C:\Program Files\Black Isle
2008-06-22 15:44:33 40960 --a-s---- C:\WINDOWS\system32\ProcessKiller.dll
2008-06-22 15:44:32 0 d-------- C:\Program Files\SpyCatcher
2008-06-17 08:11:00 0 d-------- C:\Program Files\SpyZooka
2008-06-17 08:10:23 0 d-------- C:\Program Files\Common Files\Download Manager


-- Find3M Report ---------------------------------------------------------------

2008-07-17 09:16:15 0 d-------- C:\Documents and Settings\Stephen\Application Data\AVG7
2008-07-13 11:13:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-13 11:03:58 0 d-------- C:\Documents and Settings\Stephen\Application Data\My Games
2008-07-12 18:46:52 0 d-------- C:\Program Files\Common Files
2008-07-09 11:44:44 0 d-------- C:\Documents and Settings\Stephen\Application Data\Macromedia
2008-07-09 11:43:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-05 20:59:01 445 --a------ C:\WINDOWS\EntPack.dat
2008-06-17 09:07:12 0 d-------- C:\Program Files\The Weather Channel FW
2008-06-16 11:06:30 0 d-------- C:\Program Files\Java
2008-06-13 19:34:14 0 d-------- C:\Documents and Settings\Stephen\Application Data\WinRAR


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [10/16/2007 12:05 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 06:19 PM]
"QuickTime Task"="C:\downloaded programs\quicktime\qttask.exe" [03/16/2006 05:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

C:\Documents and Settings\Stephen\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [6/22/2008 3:44:34 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [6/22/2008 3:44:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8106a23-be5d-11dc-a0ec-00508d7f88cb}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-17 10:06:45 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 2047.48 MiB / 1401.59 MiB
Pagefile Memory (total/avail): 3430.42 MiB / 2963 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 127.99 GiB total, 83.08 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160021A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 127.99 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Stephen\\Desktop\\magic\\Magic\\Manalink.exe"="C:\\Documents and Settings\\Stephen\\Desktop\\magic\\Magic\\Manalink.exe:*:Disabled:manalink"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\games\\bg2\\BGMain.exe"="C:\\games\\bg2\\BGMain.exe:*:Disabled:Baldur's Gate II - Shadows of Amn"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper"
"C:\\Downloaded Programs\\itunes\\iTunes.exe"="C:\\Downloaded Programs\\itunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Downloaded Programs\\Filezilla\\FileZilla.exe"="C:\\Downloaded Programs\\Filezilla\\FileZilla.exe:*:Enabled:FileZilla"
"C:\\games\\Magic\\Magic\\Manalink.exe"="C:\\games\\Magic\\Magic\\Manalink.exe:*:Disabled:manalink"
"C:\\Downloaded Programs\\Trillian\\Trillian\\trillian.exe"="C:\\Downloaded Programs\\Trillian\\Trillian\\trillian.exe:*:Enabled:Trillian"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Stephen\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PCBARANDGRILL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Stephen
LOGONSERVER=\\PCBARANDGRILL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE;C:\downloaded programs\quicktime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Stephen\LOCALS~1\Temp
TMP=C:\DOCUME~1\Stephen\LOCALS~1\Temp
USERDOMAIN=PCBARANDGRILL
USERNAME=Stephen
USERPROFILE=C:\Documents and Settings\Stephen
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

Stephen (admin)
LogMeInRemoteUser (admin)
Stephen2 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\SBC LightSpeed Self Support Tool\CustomUninstall.exe SBC
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2Wire Wireless Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\Setup.exe" -l0x9 -L0x9
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{CB2D95C7-189C-4596-B071-CE99C309573D}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATT-AACE --> C:\PROGRA~1\ATT\UNWISE.EXE C:\PROGRA~1\ATT\INSTALL.LOG
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Baldur's Gate™ II - Throne of Bhaal ™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
Battlezone --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Activision\Battlezone\Uninst.isu"
BioWare Premium Module: Neverwinter Nights™ Kingmaker --> C:\games\nwn\premium\uninst Neverwinter Nights™ Kingmaker.exe
BOINC --> MsiExec.exe /I{ADF69C76-13FF-49F0-A078-922725A8B1B6}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
Delta Force --> C:\WINDOWS\IsUninst.exe -fc:\games\delta\Uninst.isu
Demon Stone --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B8620F4-F388-4522-ADAD-9888C1E3D76C}\SETUP.EXE" -l0x9
DivX --> C:\Downloaded Programs\Divx\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Downloaded Programs\Divx\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Downloaded Programs\Divx\DivXWebPlayerUninstall.exe /PLUGIN
Doom 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}
FileZilla (remove only) --> "C:\Downloaded Programs\Filezilla\uninstall.exe"
General 4.5e --> C:\games\General\UNWISE.EXE C:\games\General\INSTALL.LOG
GTAIII --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\Setup.exe" -l0x9
HijackThis 2.0.2 --> "C:\Documents and Settings\Stephen\Desktop\Spyware stuff\HijackThis.exe" /uninstall
InfraRecorder --> C:\Downloaded Programs\Iso burner\InfraRecorder\uninstall.exe
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LJ Comment Stats Wizard 1.7 --> "C:\Downloaded Programs\LJ Comment Stats Wizard\unins000.exe"
LogMeIn --> MsiExec.exe /I{FCD06104-04F6-45AA-886B-0FB75C7EED3D}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Neverwinter Nights --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1583439-B034-4881-819C-D52A0587662B}\setup.exe" -l0x9
OpD2d --> C:\WINDOWS\unvise32.exe c:\downloaded programs\sound recorder\uninstal.log
Puzzle Pirates --> C:\Program Files\Three Rings Design\Puzzle Pirates\Uninstall-yohoho.exe
QuarterMaster --> MsiExec.exe /I{D4685ED2-93BE-45C6-AD27-0AA11ED84795}
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
SimCity 3000 --> C:\WINDOWS\IsUninst.exe -fc:\games\simcity\Uninst.isu
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
SpyCatcher Express 2007 --> "C:\Program Files\SpyCatcher\unins000.exe"
Temple of Elemental Evil --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD80F06B-0F21-4EEE-934D-BEF0D21E6383}\SETUP.EXE" -l0x9
TES Construction Set --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Bethesda Softworks\Morrowind\CSUninstall\Setup.exe" -l0x9
Tetris Arena 1.0 --> "C:\games\Tetris Arena\unins000.exe"
Trillian --> C:\Downloaded Programs\Trillian\Trillian\trillian.exe /uninstall
Visual Basic 5.0 Enterprise Edition --> C:\downloaded programs\vb5\Setup\setup.exe /z vb5_bb.dll /m
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Downloaded Programs\WinRar\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
YOU DON'T KNOW JACK Volume 2 --> C:\games\jack\UNWISE.EXE /A C:\games\jack\INSTALL.LOG
Zork Grand Inquisitor --> C:\WINDOWS\IsUninst.exe -fc:\games\zork\Uninst.isu


-- Application Event Log -------------------------------------------------------

Event Record #/Type1852 / Error
Event Submitted/Written: 07/15/2008 11:05:27 AM
Event ID/Source: 2001 / Microsoft Office 10
Event Description:
Rejected Safe Mode action : Microsoft Word.

Event Record #/Type1848 / Error
Event Submitted/Written: 07/14/2008 02:02:11 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINWORD.EXE, version 10.0.6843.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1839 / Error
Event Submitted/Written: 07/14/2008 08:25:34 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16674, faulting module urlmon.dll, version 7.0.6000.16674, fault address 0x00020b5a.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1838 / Error
Event Submitted/Written: 07/13/2008 05:44:09 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16674, faulting module urlmon.dll, version 7.0.6000.16674, fault address 0x00020b5a.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1837 / Error
Event Submitted/Written: 07/13/2008 03:56:12 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16674, faulting module urlmon.dll, version 7.0.6000.16674, fault address 0x00020b57.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13527 / Warning
Event Submitted/Written: 07/17/2008 07:52:12 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13526 / Warning
Event Submitted/Written: 07/16/2008 01:44:13 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type13406 / Error
Event Submitted/Written: 07/15/2008 07:27:04 AM
Event ID/Source: 15 / Cdrom
Event Description:
The device, \Device\CdRom2, is not ready for access yet.

Event Record #/Type13405 / Error
Event Submitted/Written: 07/15/2008 07:21:15 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Avg7Core
Avg7RsW
Avg7RsXP
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip
WS2IFSL

Event Record #/Type13404 / Error
Event Submitted/Written: 07/15/2008 07:21:15 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-07-17 10:06:45 ------------

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:43 PM

Posted 17 July 2008 - 10:14 AM

You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Aside from that, your log looks good to me! :)


Just a few last things and you should be good to go! :)


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:43 PM

Posted 27 July 2008 - 07:32 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users