Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Infection With Antivirus Xp 2008


  • This topic is locked This topic is locked
117 replies to this topic

#1 hopeIcan

hopeIcan

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 08 August 2008 - 03:28 PM

We have been infected by Antivirus XP 2008 trojan. I'm not sure how long we'd been infected when my wife told me about it. I ran a full scan with Symantec Antivirus and then looked up the issue on the Symantec site, after which I followed removal instruction. This mostly consisted of deleting infecting registration keys. Actions and observations since then:

(1) Installed and ran Malwarebytes Anti-Malware utility. Numerous infections identified and successfully removed.

(2) Repeat scans with Malwarebytes utility results in the following message, no matter how many times I run it and restart:

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.


(2) I cannot run Task Manager anymore.

(3) REGEDIT won't run, and I get a brief flash message that it has been prevented (or disabled) by the Administrator.

(4) I have uninstalled an old version of SpyBot and then downloaded and reinstalled the newest version. When I try to run it, I get a brief hourglass symbol and then nothing.

(5) On every startup, I get an error message that Windows can't find c:\windows\system32\wpx120.cpx, which may be a file the infecting startup program is trying to find (and which I must have deleted somewhere along the line.)

Here is the Deckard's System Scanner log, follow by the HighjackThis log:

Deckard's System Scanner v20071014.68
Run by Christy on 2008-08-08 15:52:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-08 15:53:30
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Digital Media Reader\shwiconEM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\mrtmngr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Christy\Desktop\Deckard's System Scanner\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
F0 - system.ini: Shell=Explorer.exe "C:\WINDOWS\system32\wpx120.cpx"
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\system32\wpx120.cpx"
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdydb.exe] C:\WINDOWS\system32\kdydb.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
O4 - Global Startup: QuickBooks Delivery Agent.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7.../OGAControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/9/b...heckControl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.2.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


--
End of file - 10877 bytes

-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 14:24:25 0 d-------- C:\AutoRuns
2008-08-08 10:44:35 0 d-------- C:\HijackThis
2008-08-06 23:08:31 0 d-------- C:\Documents and Settings\Christy\Application Data\Malwarebytes
2008-08-06 23:08:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 23:08:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 22:20:38 0 d-------- C:\Documents and Settings\Christy\Application Data\Google
2008-08-06 22:20:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-08-06 22:18:54 0 d-------- C:\Documents and Settings\Christy\Application Data\Macromedia
2008-08-06 22:17:58 0 d-------- C:\Documents and Settings\Christy\Application Data\Adobe
2008-08-06 22:17:17 0 d-------- C:\Documents and Settings\Christy\Application Data\HotSync
2008-08-06 22:17:00 0 d-------- C:\Documents and Settings\Christy\Application Data\EPSON
2008-08-06 22:16:31 0 d-------- C:\Documents and Settings\Christy\Application Data\McAfee
2008-08-06 22:16:31 0 d-------- C:\Documents and Settings\Christy\Application Data\Identities
2008-08-06 22:16:30 0 d-------- C:\Documents and Settings\Christy\WINDOWS
2008-08-06 22:16:30 0 d--h----- C:\Documents and Settings\Christy\Templates
2008-08-06 22:16:30 0 dr------- C:\Documents and Settings\Christy\Start Menu
2008-08-06 22:16:30 0 dr-h----- C:\Documents and Settings\Christy\SendTo
2008-08-06 22:16:30 0 dr-h----- C:\Documents and Settings\Christy\Recent
2008-08-06 22:16:30 0 d--h----- C:\Documents and Settings\Christy\PrintHood
2008-08-06 22:16:30 1572864 --ah----- C:\Documents and Settings\Christy\NTUSER.DAT
2008-08-06 22:16:30 0 d--h----- C:\Documents and Settings\Christy\NetHood
2008-08-06 22:16:30 0 dr------- C:\Documents and Settings\Christy\My Documents
2008-08-06 22:16:30 0 d--h----- C:\Documents and Settings\Christy\Local Settings
2008-08-06 22:16:30 0 dr------- C:\Documents and Settings\Christy\Favorites
2008-08-06 22:16:30 0 d-------- C:\Documents and Settings\Christy\Desktop
2008-08-06 22:16:30 0 d--hs---- C:\Documents and Settings\Christy\Cookies
2008-08-06 22:16:30 0 dr-h----- C:\Documents and Settings\Christy\Application Data
2008-08-06 22:16:30 0 d-------- C:\Documents and Settings\Christy\Application Data\Sun
2008-08-06 22:16:30 0 d-------- C:\Documents and Settings\Christy\Application Data\SampleView
2008-08-06 15:58:52 181 --a------ C:\WINDOWS\Sysvxd.exe
2008-08-05 21:03:20 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-08-05 21:03:17 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-08-05 20:48:39 12 --a------ C:\WINDOWS\system32\shell31.dll


-- Find3M Report ---------------------------------------------------------------

2008-08-07 00:30:33 28672 -----n--- C:\WINDOWS\system32\verclsid.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-07 00:18:26 0 d-------- C:\Program Files\Google
2008-08-06 20:39:37 700416 --a------ C:\StubInstaller.exe <Not Verified; LimeWire; LimeWire swarmed installer>
2008-08-06 14:25:11 5068800 --a------ C:\WINDOWS\system32\davinci.scr <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-06 14:22:05 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-08-06 14:21:57 36864 --a------ C:\WINDOWS\ShowWnd.exe
2008-08-06 14:18:20 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-25 16:58:22 0 d-------- C:\Program Files\Java
2008-07-01 08:51:53 0 d-------- C:\Program Files\Palm
2008-06-18 22:40:23 0 d-------- C:\Program Files\HOJY TECH
2008-06-18 22:40:22 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL [06/30/2007 08:07 AM 266240]

[-HKEY_CLASSES_ROOT\CLSID\{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdydb.exe"="C:\WINDOWS\system32\kdydb.exe" []
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [08/06/2008 02:36 PM]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [12/05/2006 09:49 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [11/15/2004 06:04 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SoundMan"="SOUNDMAN.EXE" [12/01/2004 04:54 PM C:\WINDOWS\soundman.exe]
"ShowWnd"="ShowWnd.exe" [08/06/2008 02:21 PM C:\WINDOWS\ShowWnd.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 11:24 PM]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/06/2008 02:23 PM]
"QBCD Autorun"="F:\autorun.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [03/11/2004 01:26 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [08/06/2008 02:22 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 01:56 PM]
"EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [04/08/2005 02:09 PM]
"CHotkey"="zHotkey.exe" [05/17/2004 09:30 PM C:\WINDOWS\zHotkey.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/06/2008 02:27 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/18/2005 12:05 AM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/06/2008 07:18 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [7/1/2003 10:16:46 PM]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]
QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [9/12/2005 9:34:54 PM]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [7/29/2003 9:49:48 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe \"C:\WINDOWS\system32\wpx120.cpx\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\kdydb.exe]
C:\WINDOWS\system32\kdydb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e32a73c2-687a-11dc-92da-0013d32f8c24}]
AutoPlaY\coMmanD- K:\vavah.pif
AutoRun\command- K:\vavah.pif
exPLOre\CommanD- K:\vavah.pif
oPEn\comManD- K:\vavah.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef8f92af-1d82-11da-911d-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-08-08 15:53:44 ------------



---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:37 AM, on 8/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\system32\wpx120.cpx"
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdydb.exe] C:\WINDOWS\system32\kdydb.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.2.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8988 bytes



Thanks for any help with this.

BC AdBot (Login to Remove)

 


m

#2 hopeIcan

hopeIcan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 09 August 2008 - 07:46 AM

I forgot two pieces of information that may make a difference. Both are things I saw or did a day or two before my original post.

(1) In my wife's Windows login account, the desktop background is completely blue, and there are no longer Desktop or Screen Saver tabs in the Display Properties window.

(2) I followed instructions from one of the first posts I found about the AntivirusXP 2008 trojan in BleepingComputer.com, which said to use OTMoveIt2 to move some files and keys. I realize now that this was probably a bonehead thing to do, because that instruction was relevant to some other guy's problem, but in my panic, that's what I did. Sorry about that. Here are the files that got moved:

File/Folder C:\WINDOWS\system32\lphc3osj0et9e.exe not found.
File/Folder C:\Program Files\rhc7osj0et9e not found.
File/Folder C:\WINDOWS\system32\qjspidwx.exe not found.
File/Folder C:\WINDOWS\system32\xgngtkhi.exe not found.
File/Folder C:\WINDOWS\system32\cjedudmd.exe not found.
File/Folder C:\Documents and Settings\All Users\Application Data\ivkfodmp not found.
File/Folder C:\Program Files\qmhuwbg not found.
File/Folder C:\WINDOWS\system32\pphc3osj0et9e.exe not found.
File/Folder C:\Documents and Settings\the old doctor\Application Data\rhc7osj0et9e not found.
File/Folder C:\WINDOWS\system32\blphc3osj0et9e.scr not found.
File/Folder C:\Program Files\temp995.bat not found.
File/Folder C:\WINDOWS\system32\apsrarqt.exe not found.
File/Folder C:\WINDOWS\system32\rcpaxwnu.exe not found.
File/Folder C:\WINDOWS\system32\cjedudmd.exe not found.
File/Folder C:\WINDOWS\system32\pehuzovw.exe not found.
File/Folder C:\WINDOWS\system32\hohszong.exe not found.
File/Folder C:\WINDOWS\system32\ryrolatk.exe not found.
File/Folder C:\WINDOWS\system32\rcdmlexs.exe not found.
File/Folder C:\WINDOWS\system32\slubsxsh.exe not found.
File/Folder C:\WINDOWS\system32\nolatcxm.exe not found.
File/Folder C:\WINDOWS\system32\rehynkzo.exe not found.
File/Folder C:\WINDOWS\system32\zalkpilw.exe not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphc3osj0et9e >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphc3osj0et9e not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMrhc7osj0et9e >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMrhc7osj0et9e not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\setdb >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\setdb not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\uiadm >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\uiadm not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\apimsgapp >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\apimsgapp not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run\\GaVceWvq5q >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\UiShEn >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\UiShEn not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08062008_223953

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:34 PM

Posted 17 August 2008 - 07:12 PM

Hello, hopeIcan.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 hopeIcan

hopeIcan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 17 August 2008 - 10:34 PM

Hi, Billy. Thanks for jumping in on this. Already, something's unclear to me.

My eMachine was not shipped with Windows XP CDs. I'm running Windows XP Media Center Edition SP3, so I don't know whether to download the setup disk file for XP Home Edition or XP Professional. Microsoft doesn't show an option for Media Center, but in their FAQs they explain that it was created for home use and doesn't not include features built into Professional edition. Shall I assume that the Home edition is what to use?

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:34 PM

Posted 17 August 2008 - 10:43 PM

Nope. I'm sorry. Media Center Edition uses the Professional Disks, even though it is a Home based OS (Don't ask me why).

Use the Professional SP2 option :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 hopeIcan

hopeIcan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 17 August 2008 - 10:54 PM

I'm reconsidering. In a discussion on the Microsoft site, someone who seems to know says that Windows XP Media Center is just Windows XP Professional with some features removed. The same message says, though, that using the download either Home or Pro, for the purpose of the Recovery Console, make work out fine, depending on what the user needs it for. He does not go on to explain what those uses might be. I'll download the setup disk version for Pro and wait for your instruction as to whether or not to use it.

#7 hopeIcan

hopeIcan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 17 August 2008 - 11:21 PM

Attached File  ComboFix_080818.txt   13.8KB   36 downloads
Here's the ComboFix log (both pasted and attached -- I couldn't tell which you preferred).

NOTE: Toward the end of the process I got a series of error messages, all of which said that the registry editor is disablied by administrator. I've been puzzling about this for days (looking in Group Policies - gpedit.msc - etc.) and haven't resolved it. If ComboFix was trying to delete or modify some registry keys, it probably couldn't.


ComboFix 08-08-17.03 - Christy 2008-08-18 0:04:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.434 [GMT -4:00]
Running from: C:\Documents and Settings\Christy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Christy\Application Data\macromedia\Flash Player\#SharedObjects\2B2MWUXP\interclick.com
C:\Documents and Settings\Christy\Application Data\macromedia\Flash Player\#SharedObjects\2B2MWUXP\interclick.com\ud.sol
C:\Documents and Settings\Christy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Christy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Christy\Cookies\christy@ads.pointroll[1].txt
C:\Documents and Settings\Christy\Cookies\christy@ads.revsci[1].txt
C:\Documents and Settings\Christy\Cookies\christy@advertising[1].txt
C:\Documents and Settings\Christy\Cookies\christy@insightexpressai[1].txt
C:\Documents and Settings\Christy\Cookies\christy@microsoft[2].txt
C:\Documents and Settings\Christy\Cookies\christy@nytimes[2].txt
C:\Documents and Settings\Christy\Cookies\christy@revsci[2].txt
C:\Documents and Settings\Christy\Cookies\christy@usatoday[2].txt
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\539GXZBG\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\539GXZBG\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[1].txt
C:\Documents and Settings\Owner\Cookies\owner@nytimes[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@vendorweb.citibank[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www2.1fbusa[2].txt
C:\Documents and Settings\Owner\UserData
C:\Documents and Settings\Owner\UserData\index.dat
C:\Documents and Settings\Owner\UserData\XH7WNWP2\IsOnIE6tbPromo[1].xml
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\shell31.dll
C:\WINDOWS\Sysvxd.exe
C:\WINDOWS\wiaservb.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-14 00:21 . 2008-08-14 00:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-14 00:03 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 00:02 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 09:54 . 2008-08-12 09:54 <DIR> d-------- C:\Documents and Settings\Christy\Application Data\AdobeUM
2008-08-11 21:34 . 2008-08-11 21:35 <DIR> d-------- C:\Documents and Settings\Marcia\Motherscoop
2008-08-09 08:47 . 2008-08-09 08:47 <DIR> d-------- C:\Documents and Settings\Christy\Application Data\Viewpoint
2008-08-08 15:48 . 2008-08-08 15:48 <DIR> d-------- C:\Deckard
2008-08-08 14:24 . 2008-08-08 14:26 <DIR> d-------- C:\AutoRuns
2008-08-08 11:46 . 2008-08-08 11:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-08 10:44 . 2008-08-08 16:36 <DIR> d-------- C:\HijackThis
2008-08-06 23:08 . 2008-08-06 23:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 23:08 . 2008-08-06 23:08 <DIR> d-------- C:\Documents and Settings\Christy\Application Data\Malwarebytes
2008-08-06 23:08 . 2008-08-06 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 23:08 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 23:08 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 22:39 . 2008-08-08 11:07 <DIR> d-------- C:\_OTMoveIt
2008-08-06 22:17 . 2008-08-06 22:17 <DIR> d-------- C:\Documents and Settings\Christy\Application Data\HotSync
2008-08-06 22:17 . 2008-08-06 22:17 <DIR> d-------- C:\Documents and Settings\Christy\Application Data\EPSON
2008-08-06 22:16 . 2005-04-13 14:17 <DIR> d-------- C:\Documents and Settings\Christy\WINDOWS
2008-08-06 22:16 . 2005-08-05 23:10 <DIR> d-------- C:\Documents and Settings\Christy\Application Data\SampleView
2008-08-06 22:16 . 2005-08-05 23:11 <DIR> d-------- C:\Documents and Settings\Christy\Application Data\McAfee
2008-08-06 22:16 . 2008-08-14 20:18 <DIR> d-------- C:\Documents and Settings\Christy
2008-08-05 20:48 . 2008-08-05 20:48 49,664 --a------ C:\WINDOWS\system32\wpx109.cpx
2008-07-31 21:09 . 2008-07-31 21:10 <DIR> d-------- C:\Documents and Settings\Marcia\Med Fund 2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-07 04:30 28,672 ------w C:\WINDOWS\system32\verclsid.exe
2008-08-07 04:27 90,112 ----a-w C:\WINDOWS\DUMP99de.tmp
2008-08-07 04:18 --------- d-----w C:\Program Files\Google
2008-08-06 18:25 5,068,800 ----a-w C:\WINDOWS\system32\davinci.scr
2008-08-06 18:22 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2008-08-06 18:21 36,864 ----a-w C:\WINDOWS\ShowWnd.exe
2008-08-06 18:18 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-25 20:58 --------- d-----w C:\Program Files\Java
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 12:51 --------- d-----w C:\Program Files\Palm
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 02:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-19 02:40 --------- d-----w C:\Program Files\HOJY TECH
2005-10-03 02:24 66 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2005-09-04 22:12 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{06663B56-0D73-4f9f-BCC5-4AA941470AFD}"= "C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL" [2007-06-30 08:07 61440]

[HKEY_CLASSES_ROOT\clsid\{06663b56-0d73-4f9f-bcc5-4aa941470afd}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4}"= "C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL" [2007-06-30 08:07 266240]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= "C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL" [2007-06-30 08:07 266240]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 22:16:46 24576]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2005-09-12 21:34:54 118784]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 21:49:48 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2008-08-06 14:29 1228800 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Palm\\HOTSYNC.EXE"= C:\\Program Files\\Palm\\Hotsync.exe
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\ehome\\ehtray.exe"=
"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"C:\\Program Files\\iTunes\\iTunesHelper.exe"=
"C:\\Program Files\\EPSON\\Creativity Suite\\Event Manager\\EEventManager.exe"=
"C:\\WINDOWS\\Creator\\Remind_XP.exe"=
"C:\\WINDOWS\\SMINST\\RECGUARD.EXE"=
"C:\\WINDOWS\\system32\\netsh.exe"=
"C:\\WINDOWS\\system32\\Ati2evxx.exe"=
"C:\\Program Files\\Digital Media Reader\\shwiconem.exe"=
"C:\\WINDOWS\\system32\\WgaTray.exe"=
"C:\\Program Files\\Quicken\\bagent.exe"=
"C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\Components\\QBAgent\\QBDAgent.exe"=
"C:\\WINDOWS\\system32\\ctfmon.exe"=

R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\nesmen.sys []
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2004-07-28 19:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e32a73c2-687a-11dc-92da-0013d32f8c24}]
\sHell\AutoPlaY\coMmanD - K:\vavah.pif
\sHell\AutoRun\command - K:\vavah.pif
\sHell\exPLOre\CommanD - K:\vavah.pif
\sHell\oPEn\comManD - K:\vavah.pif

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-08-06 14:28]

2008-08-18 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2008-08-07 06:18]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kdydb - C:\WINDOWS\system32\kdydb.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 00:08:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\WINDOWS\\system32\\kdydb.exe"="C:\\WINDOWS\\system32\\kdydb.exe"
.
Completion time: 2008-08-18 0:11:32
ComboFix-quarantined-files.txt 2008-08-18 04:11:29

Pre-Run: 106,091,319,296 bytes free
Post-Run: 106,543,161,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

222 --- E O F --- 2008-08-14 04:12:17

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:34 PM

Posted 18 August 2008 - 06:33 AM

Hello, hopeIcan.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/index.php?showtopic=162203&view=findpost&p=915417
    
    suspect::[54]
    C:\WINDOWS\system32\davinci.scr
    C:\WINDOWS\ShowWnd.exe
    
    folder::
    C:\Program Files\PandoBar
    
    registry::
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    
    [-HKEY_CLASSES_ROOT\clsid\{06663b56-0d73-4f9f-bcc5-4aa941470afd}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    
    [-HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    
    [-HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=-
    "DisableRegistryTools"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer"=-
    "wave"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C:\\WINDOWS\\system32\\kdydb.exe"=-
    
    file::
    C:\WINDOWS\DUMP99de.tmp
    
    rootkit::
    C:\WINDOWS\system32\drivers\nesmen.sys
    C:\\WINDOWS\\system32\\kdydb.exe
    
    driver::
    dac970nt
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 hopeIcan

hopeIcan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 18 August 2008 - 07:18 AM

Hi, Billy. You're at it early.

When I drag the CFscript over the CombFix icon, the ComboFix progress bar appears and then sits there blank. The program seems to be hanging up.

Sorry.

Christy

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:34 PM

Posted 18 August 2008 - 08:13 AM

Just want to make sure; Please attach the cfscript.txt file to a reply :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 hopeIcan

hopeIcan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 18 August 2008 - 08:24 AM

Here you go...
Attached File  CFScript.txt   1.09KB   36 downloads

#12 hopeIcan

hopeIcan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 18 August 2008 - 08:54 AM

It may help for me to explain some glitchy things that are happening since running ComboFix last night.
  • When I startup, the Start window opens by itself
  • I tried to start Symantec Antivirus to be sure that all the auto-protect settings were still turned off, and the program tried to install itself. I assume this means that ComboFix delete some components that Symantec needed to run, and it was trying to install itself again. The install failed, and I never could open it to see what the settings were. Since it didn't seem to be running, I assumed that it was okay to run ComboFix. That may have been a bad assumption.
  • When ComboFix had hung up, I restarted the computer. (I couldn't use Task Manager to stop it, since TM has been disabled by the trojan.) I started to think of anything I might have done wrong, and I thought I might have dragged the wrong ComboFix text file over the program icon, because the log file I sent you last night is right next to the one that you had me create this morning. If that could have created this hangup, it's possible that my fear is correct. In any event, after I restarted and made absolutely sure I dragged the right file over the icon, the program hung.
Not sure if that helps, but, you know, full disclosure. (I'm making myself feel like I'm talking to my attorney!)

Christy

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:34 PM

Posted 18 August 2008 - 08:58 AM

Hello, hopeIcan.

Sorry about that, I made a mistake. Try this one instead.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/index.php?showtopic=162203&view=findpost&p=915417
    
    suspect::[54]
    C:\WINDOWS\system32\davinci.scr
    C:\WINDOWS\ShowWnd.exe
    
    folder::
    C:\Program Files\PandoBar
    
    registry::
    [-HKEY_CLASSES_ROOT\clsid\{06663b56-0d73-4f9f-bcc5-4aa941470afd}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4}"=-
    
    [-HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=-
    "DisableRegistryTools"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer"=-
    "wave"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C:\\WINDOWS\\system32\\kdydb.exe"=-
    
    file::
    C:\WINDOWS\DUMP99de.tmp
    
    rootkit::
    C:\WINDOWS\system32\drivers\nesmen.sys
    C:\WINDOWS\system32\kdydb.exe
    
    driver::
    dac970nt
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 hopeIcan

hopeIcan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Newark NY
  • Local time:04:34 PM

Posted 18 August 2008 - 09:46 AM

ComboFix still hangs when I drag the text file over it. I'll be away from that computer for several hours but will check in again as soon as I get home.

Thanks, Billy, for all the time you're taking with this.

Christy

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:34 PM

Posted 18 August 2008 - 10:11 AM

Hello, hopeIcan.
Alright... we'll do this another way :thumbsup:

We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/index.php?showtopic=162203&view=findpost&p=915748
  • Where it says "Browse to the file you want to submit", copy and paste in
    C:\WINDOWS\system32\davinci.scr
  • Press the Posted Image button.
We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/index.php?showtopic=162203&view=findpost&p=915748
  • Where it says "Browse to the file you want to submit", copy and paste in
    C:\WINDOWS\ShowWnd.exe
  • Press the Posted Image button.
We need to move some files
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_CLASSES_ROOT\clsid\{06663b56-0d73-4f9f-bcc5-4aa941470afd}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableRegistryTools
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\mixer
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\wave
    C:\WINDOWS\DUMP99de.tmp
    C:\WINDOWS\system32\drivers\nesmen.sys
    C:\WINDOWS\system32\kdydb.exe
    dac970nt <delete service>
    C:\Program Files\PandoBar\
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

In your next reply, please include the following:
  • OTMoveIt2's Log
  • A new Hijack This log

Billy3

Edited by Billy O'Neal, 18 August 2008 - 10:12 AM.
Removed blank line in otmiscript

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users