Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No idea where to start, computer's Completley infested.


  • This topic is locked This topic is locked
18 replies to this topic

#1 monkpart9

monkpart9

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:37 PM

Posted 18 January 2009 - 10:31 PM

Ok, so my buddy recently got his old computer up and running again but the thing is it's completley spyware/malware/adware ridden.

I swear this has to be the worst machine I've ever seen.

Below Ive included the Hijack This log that I managed to get.

Anyone who could be of assistance that would just be great.

Thanks in advance!

---------------------------------
HIjackThis log
----------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:17 AM, on 1/2/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\WhenUSearch\whse.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C3E7107984ED38741BB42EB9E396267C99E5DA795C744E20 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll (file missing)
O2 - BHO: WhenUSearch Helper - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - C:\Program Files\WhenUSearch\search.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [g8m0hv9s] C:\WINNT\system32\g8m0hv9s.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe
O4 - HKLM\..\Policies\Explorer\Run: [wininet.dll] regperf.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://installdollars.com/files/small/small32.exe
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://xaonon.dyndns.org/logos/lotr/sauron.png
O24 - Desktop Component 1: (no name) - http://images-eu.amazon.com/images/P/B0000...02.LZZZZZZZ.jpg
O24 - Desktop Component 2: (no name) - http://www.khomenko.net/homepage/images/dt.gif
O24 - Desktop Component 3: (no name) - http://www.khomenko.net/homepage/images/tull.gif
O24 - Desktop Component 4: (no name) - http://www.khomenko.net/homepage/images/rush.gif
O24 - Desktop Component 5: (no name) - http://www.khomenko.net/homepage/images/yes.gif
O24 - Desktop Component 6: (no name) - http://zeblackeyed.free.fr/bush4.jpg
O24 - Desktop Component 7: (no name) - http://zeblackeyed.free.fr/bush1.jpg
O24 - Desktop Component 8: (no name) - http://zeblackeyed.free.fr/bush2.jpg
O24 - Desktop Component 9: (no name) - http://zeblackeyed.free.fr/bushcinq.jpg

--
End of file - 7864 bytes
If you do things right, then people won't know if you've done anything at all.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 AM

Posted 19 January 2009 - 03:19 AM

Hi,

Have you ever scanned with an Antispywarescanner? Also, is your Antivirus up to date? Because there's actually malware present and running here from more than 4 years ago.

What I suggest here is, please uninstall eTrust EZ Armor, because I'm sure this one is way outdated.

Also, I see you have 2 firewalls installed. Zonealarm and PcTools Firewall. You can't have more than 1 Firewall installed, so one of them should be uninstalled.
The Pc tools firewall is not for free, so I'm wondering if this one was purchased anyway. If not, then I suggest you uninstall it.
The Zonealarm Firewall present there is way outdated, so I suggest you uninstall that one anyway. You can reinstall another Firewall again, but I suggest you do this once we're done here and not before. This because while you're infected, I want to avoid that you create rules (allow) the malware in your Firewall.

Reboot afterwards.

After reboot, install AVG 8:
http://free.avg.com/

Perform a full scan with it and let it delete everything it is finding.

Then reboot.

After reboot, install Spybot s&D:
http://www.safer-networking.org/en/spybotsd/index.html

Also perform a full scan with it and let it remove everything it is finding.
Then reboot once again.

After reboot, rescan with HijackThis and post a log in your next reply. Then we'll start from there.

Edited by miekiemoes, 19 January 2009 - 03:23 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 monkpart9

monkpart9
  • Topic Starter

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:37 PM

Posted 19 January 2009 - 10:48 AM

I haven't tried any anti-malware programs previous to posting this log.

Uhm, really the reason why everything is so vastly outdated is because this computer had been stored away for so long in storage.

-I've scanned with the AVG and Spybot as well as rebooted after each scan.

Thanks in advance.

-Below Ive included the HIJackThis log:
----------------------
HIjackThis log
----------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:20 AM, on 1/19/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://xaonon.dyndns.org/logos/lotr/sauron.png
O24 - Desktop Component 1: (no name) - http://images-eu.amazon.com/images/P/B0000...02.LZZZZZZZ.jpg
O24 - Desktop Component 2: (no name) - http://www.khomenko.net/homepage/images/dt.gif
O24 - Desktop Component 3: (no name) - http://www.khomenko.net/homepage/images/tull.gif
O24 - Desktop Component 4: (no name) - http://www.khomenko.net/homepage/images/rush.gif
O24 - Desktop Component 5: (no name) - http://www.khomenko.net/homepage/images/yes.gif
O24 - Desktop Component 6: (no name) - http://zeblackeyed.free.fr/bush4.jpg
O24 - Desktop Component 7: (no name) - http://zeblackeyed.free.fr/bush1.jpg
O24 - Desktop Component 8: (no name) - http://zeblackeyed.free.fr/bush2.jpg
O24 - Desktop Component 9: (no name) - http://zeblackeyed.free.fr/bushcinq.jpg

--
End of file - 7678 bytes
If you do things right, then people won't know if you've done anything at all.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 AM

Posted 19 January 2009 - 11:03 AM

Hi,

The scanners did a good job already. I'm sure you already notice a difference :thumbup2:

Let's deal with the leftovers now. But before we do..
I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,

Uninstall Web Offers via software > add & remove programs
If not present, look if it's present as eZula and uninstall it.
Reboot afterwards.
If none of both are present, skip the step and proceed with the next step.

I also notice there are a lot of active desktops set while the urls are already missing. So I suggest you remove them all.
To do this, * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select everything you find in there (except for "My current home page") and press the delete button on the right.
Hit ok below > apply in previous window.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 monkpart9

monkpart9
  • Topic Starter

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:37 PM

Posted 20 January 2009 - 04:52 PM

Hey, I know this may come as a strange request but, is there any chance that we might be able to continue this perhaps Saturday?

You see I wont actually have access to my friend's computer to fix it and instead of letting you think that I forgot about this topic by not responding to it till then I just figured maybe we could put this thing on hold for a bit.

aaand, if your not able to help me out later in the week like I previously suggested then I apreciate all the help you've given me thus far and thank you.
If you do things right, then people won't know if you've done anything at all.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 AM

Posted 20 January 2009 - 06:04 PM

That's Ok. As long as your friend doesn't use the computer in a meanwhile.
But... wouldn't it be better that your friend performs the instructions instead? They aren't that hard to follow though...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 monkpart9

monkpart9
  • Topic Starter

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:37 PM

Posted 21 January 2009 - 06:05 PM

Aha,yes I understand what your saying, that would make the most sense as it would seem. Although my friend isn't very computer literate. He wouldn't even know what "HijackThis" is or even how to use it.

O.o
If you do things right, then people won't know if you've done anything at all.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 AM

Posted 21 January 2009 - 06:14 PM

Don't worry, instructions are foolproof - so I'm sure your friend will be able to follow them without any problems
:thumbup2:
And, it's always a good learning school.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 monkpart9

monkpart9
  • Topic Starter

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:37 PM

Posted 23 January 2009 - 04:25 PM

Well my buddy just recently dropped off his computer at my house.I suppose next time it gets trashed Ill just foward him the instructions so he can do this on his own aha.

So what I did was I tried running combofix but instead got the following attached error message.

I don't know what could possibly be making it do this, maybe you do.

Also sorry about the delay.

Attached Files


If you do things right, then people won't know if you've done anything at all.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 AM

Posted 24 January 2009 - 02:36 AM

Hi,

I didn't notice that before in your log, but the data is indeed wrong.
So rightclick time in taskbar, select modify date/time and in there, modify the date and set in to 2009 (instead of 2002) :thumbup2:
Click apply and OK.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 monkpart9

monkpart9
  • Topic Starter

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:37 PM

Posted 24 January 2009 - 12:35 PM

Aright, after making that change I've managed to run the Combofix log and the results are displayed below:
-------------
ComboFix Log:
------------
12:36 PM 1/24/2009ComboFix 09-01-21.04 - Owner 2009-01-24 12:14:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.113 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\SideFind
c:\program files\WhenUSearch
c:\program files\WhenUSearch\Content\categories.html
c:\program files\WhenUSearch\Content\categories_loading.html
c:\program files\WhenUSearch\Content\foo.html
c:\program files\WhenUSearch\Content\index.htm
c:\program files\WhenUSearch\Content\instructions.html
c:\program files\WhenUSearch\Content\loading.html
c:\program files\WhenUSearch\Content\menu_main.html
c:\program files\WhenUSearch\Content\menu_pbandit.html
c:\program files\WhenUSearch\Content\min.html
c:\program files\WhenUSearch\Content\more.html
c:\program files\WhenUSearch\Content\newresults.html
c:\program files\WhenUSearch\Content\notyet.html
c:\program files\WhenUSearch\Content\open_browser.html
c:\program files\WhenUSearch\Content\open_shopping.html
c:\program files\WhenUSearch\Content\personals.html
c:\program files\WhenUSearch\Content\quick_coupon.html
c:\program files\WhenUSearch\Content\quick_instructions.html
c:\program files\WhenUSearch\Content\quick_search.html
c:\program files\WhenUSearch\Content\quick_tutorial.html
c:\program files\WhenUSearch\Content\right.html
c:\program files\WhenUSearch\Content\stores.html
c:\program files\WhenUSearch\Content\stores_loading.html
c:\program files\WhenUSearch\Content\ui.cfg
c:\program files\WhenUSearch\Content\uninst.ico
c:\winnt\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-24 12:18 . 2009-01-24 12:24 54,156 --ah----- c:\winnt\QTFont.qfn
2009-01-24 12:18 . 2009-01-24 12:18 1,409 --a------ c:\winnt\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 17:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-11 22:01 95,640 ----a-w c:\winnt\system32\drivers\pctplfw.sys
2008-12-11 17:32 73,840 ----a-w c:\winnt\system32\drivers\PCTAppEvent.sys
2008-12-11 17:32 132,976 ----a-w c:\winnt\system32\drivers\PCTCore.sys
2008-12-11 13:38 159,600 ----a-w c:\winnt\system32\drivers\pctgntdi.sys
2008-02-02 10:07 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-11-11 08:18 475 --sh--w c:\winnt\system32\fpp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2005-04-27 6856704]
"AIM"="c:\progra~1\AIM\aim.exe" [2003-08-01 61440]
"eZWO"="c:\progra~1\Web Offer\wo.exe" [2005-03-25 139264]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-11-18 118784]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-15 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2002-01-02 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2002-01-19 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2002-01-19 97928]
R1 pctgntdi;pctgntdi;c:\winnt\system32\drivers\pctgntdi.sys [2002-01-02 159600]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2002-01-19 76040]
R4 PCTAppEvent;PCTAppEvent Driver;c:\winnt\system32\drivers\PCTAppEvent.sys [2002-01-02 73840]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 pctplfw;pctplfw;c:\winnt\system32\drivers\pctplfw.sys [2002-01-02 95640]
S3 PRISM_USB;IEEE 802.11 Wireless USB Driver;c:\winnt\system32\drivers\EXPSUSB.sys [2005-03-05 626688]

--- Other Services/Drivers In Memory ---

*Deregistered* - 6to4
*Deregistered* - aawservice
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - ImapiService
*Deregistered* - JavaQuickStarterService
*Deregistered* - KodakCCS
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MSIServer
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SLService
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2007-06-25 c:\winnt\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1072553455.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2003-12-18 c:\winnt\Tasks\ISP signup reminder 1.job
- c:\winnt\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2003-12-29 c:\winnt\Tasks\ISP signup reminder 2.job
- c:\winnt\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-01-02 c:\winnt\Tasks\ISP signup reminder 3.job
- c:\winnt\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2009-01-24 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ClockSync - c:\program files\ClockSync\Sync.exe
HKCU-Run-WhenUSave - c:\program files\Save\Save.exe
HKLM-Run-00PCTFW - c:\program files\PC Tools Firewall Plus\FirewallGUI.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm
mStart Page = hxxp://www.gateway.net
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;127.0.0.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\Gateway\Do More\DoMoreRunExe.CAB
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - file://c:\program files\gateway\helpspot\TechTools.CAB
FF - ProfilePath -
.
.
------- File Associations -------
.
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 12:24:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\drivers\KodakCCS.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\wanmpsvc.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-01-24 12:32:39 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-24 17:32:31

Pre-Run: 33,024,745,472 bytes free
Post-Run: 33,340,780,544 bytes free

203 --- E O F --- 2002-01-02 09:35:55
If you do things right, then people won't know if you've done anything at all.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 AM

Posted 24 January 2009 - 04:06 PM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Filelook::
c:\winnt\system32\fpp.dll
Folder::
c:\program files\Web Offer
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eZWO"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 monkpart9

monkpart9
  • Topic Starter

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:37 PM

Posted 24 January 2009 - 05:30 PM

Arighty, Ive included below the new ComboFix log below

Thanks again!
-----------
Combo Fix log
----------
ComboFix 09-01-21.04 - Owner 2009-01-24 17:15:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.102 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Web Offer
c:\program files\Web Offer\wo.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-24 12:18 . 2009-01-24 16:35 54,156 --ah----- c:\winnt\QTFont.qfn
2009-01-24 12:18 . 2009-01-24 12:33 1,409 --a------ c:\winnt\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 17:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-11 22:01 95,640 ----a-w c:\winnt\system32\drivers\pctplfw.sys
2008-12-11 17:32 73,840 ----a-w c:\winnt\system32\drivers\PCTAppEvent.sys
2008-12-11 17:32 132,976 ----a-w c:\winnt\system32\drivers\PCTCore.sys
2008-12-11 13:38 159,600 ----a-w c:\winnt\system32\drivers\pctgntdi.sys
2008-02-02 10:07 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-11-11 08:18 475 --sh--w c:\winnt\system32\fpp.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\fpp.dll -- Not a PE file.
MD5: e59210657bfd212f48c5b329dd8e3149


((((((((((((((((((((((((((((( snapshot@2009-01-24_12.30.50.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-24 21:34:38 16,384 ----atw c:\winnt\temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2005-04-27 6856704]
"AIM"="c:\progra~1\AIM\aim.exe" [2003-08-01 61440]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-11-18 118784]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-15 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2002-01-02 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2002-01-19 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2002-01-19 97928]
R1 pctgntdi;pctgntdi;c:\winnt\system32\drivers\pctgntdi.sys [2002-01-02 159600]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2002-01-19 76040]
R4 PCTAppEvent;PCTAppEvent Driver;c:\winnt\system32\drivers\PCTAppEvent.sys [2002-01-02 73840]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 pctplfw;pctplfw;c:\winnt\system32\drivers\pctplfw.sys [2002-01-02 95640]
S3 PRISM_USB;IEEE 802.11 Wireless USB Driver;c:\winnt\system32\drivers\EXPSUSB.sys [2005-03-05 626688]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2002-01-19 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2002-01-19 231704]

--- Other Services/Drivers In Memory ---

*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2007-06-25 c:\winnt\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1072553455.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2003-12-18 c:\winnt\Tasks\ISP signup reminder 1.job
- c:\winnt\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2003-12-29 c:\winnt\Tasks\ISP signup reminder 2.job
- c:\winnt\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-01-02 c:\winnt\Tasks\ISP signup reminder 3.job
- c:\winnt\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2009-01-24 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm
mStart Page = hxxp://www.gateway.net
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;127.0.0.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\Gateway\Do More\DoMoreRunExe.CAB
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - file://c:\program files\gateway\helpspot\TechTools.CAB
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 17:18:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-24 17:20:58
ComboFix-quarantined-files.txt 2009-01-24 22:20:39
ComboFix2.txt 2009-01-24 17:32:42

Pre-Run: 33,330,814,976 bytes free
Post-Run: 33,313,222,656 bytes free

135 --- E O F --- 2002-01-02 09:35:55
If you do things right, then people won't know if you've done anything at all.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 AM

Posted 25 January 2009 - 04:53 AM

Hi,

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\winnt\system32\fpp.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 monkpart9

monkpart9
  • Topic Starter

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:37 PM

Posted 25 January 2009 - 11:06 AM

Aright here's the log from the scan.

-----------
Scan log
-----------
File fpp.dll received on 01.25.2009 17:00:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.25 -
AhnLab-V3 5.0.0.2 2009.01.25 -
AntiVir 7.9.0.60 2009.01.24 -
Authentium 5.1.0.4 2009.01.24 -
Avast 4.8.1281.0 2009.01.25 -
AVG 8.0.0.229 2009.01.24 -
BitDefender 7.2 2009.01.25 -
CAT-QuickHeal 10.00 2009.01.24 -
ClamAV 0.94.1 2009.01.25 -
Comodo 946 2009.01.25 -
DrWeb 4.44.0.09170 2009.01.25 -
eSafe 7.0.17.0 2009.01.25 -
eTrust-Vet 31.6.6325 2009.01.24 -
F-Prot 4.4.4.56 2009.01.24 -
F-Secure 8.0.14470.0 2009.01.25 -
Fortinet 3.117.0.0 2009.01.25 -
GData 19 2009.01.25 -
Ikarus T3.1.1.45.0 2009.01.25 -
K7AntiVirus 7.10.604 2009.01.24 -
Kaspersky 7.0.0.125 2009.01.25 -
McAfee 5505 2009.01.24 -
McAfee+Artemis 5505 2009.01.24 -
Microsoft 1.4205 2009.01.25 -
NOD32 3798 2009.01.25 -
Norman 5.93.01 2009.01.23 -
nProtect 2009.1.8.0 2009.01.23 -
Panda 9.5.1.2 2009.01.25 -
PCTools 4.4.2.0 2009.01.25 -
Prevx1 V2 2009.01.25 -
Rising 21.13.42.00 2009.01.23 -
SecureWeb-Gateway 6.7.6 2009.01.25 -
Sophos 4.37.0 2009.01.25 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.25 -
TheHacker 6.3.1.5.229 2009.01.25 -
TrendMicro 8.700.0.1004 2009.01.24 -
VBA32 3.12.8.11 2009.01.24 -
ViRobot 2009.1.23.1576 2009.01.23 -
VirusBuster 4.5.11.0 2009.01.24 -
Additional information
File size: 475 bytes
MD5...: e59210657bfd212f48c5b329dd8e3149
SHA1..: 3850977a6ef9c9e4c41356e722fd5d1132e45212
SHA256: 47b65cfa06e19efce0be74285e22ef878a809ff27481cfa051ec3eb04f4e5f40
SHA512: 06ba660a81a06e4391851217a5b812579978290c7f4b88994d8ff3230de7d446
30735f7800622cde3bda02f870c0abaa1e09e7fe59f4cb7c0d67581a5cf87fe0

ssdeep: 12:Ij84iWLbb0B0ctsK26lG70dhoITGIVejSuOVCCErlRq:Ij84jbb0BltC6o70R
TaDOo/Dq

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
If you do things right, then people won't know if you've done anything at all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users