Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Little help here


  • Please log in to reply
18 replies to this topic

#1 diespy

diespy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 10 August 2005 - 02:46 PM

Ok, so I have been dealing with huge frustration and am about to hire someone to come "fix" my computer. I run Windows XP, home edition .. at one point had tried to download SP2 but am really not sure if it worked or not. I was having a problem with downloading anything, but that seems to have been fixed now and everything runs just peachy when I use a newly downloaded Foxfire browser. Problem is that several of my applications require IE as the browser (my new ISP to use their e-mail, microsoft money, etc).

In IE it will not let me load secure websites (so no e-mail access, etc) and I continuously get errors that my "current security settings do not allow activeX controls" so will not display websites properly. When I try to fix my security settings they never save ... and even right after I fix them this happens. I assume this is a virus or malware.

This morning, I have run AVG (no viruses), ad-aware (4 tracking cookies deleted), followed by Spybot (nothing new). CW shredder reports no evidence of CWS virus.

So I then ran HJT and do not really feel savy enough to interpret the results (afraid I will delete something important).

Any takers for some help??

The log:
Logfile of HijackThis v1.99.1
Scan saved at 7:45:44 AM, on 8/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\msrouter.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\gah95on6.exe
C:\WINNT\System32\rpctpub.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [USB Updatess] msrouter.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINNT\System32\gah95on6.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [USB Updatess] msrouter.exe
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [USB Updatess] msrouter.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O4 - HKCU\..\Run: [MB52Rke4P] rpctpub.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112157601597
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF2D339B-581B-40F3-84C5-A510DA9600D8}: NameServer = 192.168.0.1
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\System32\libsysmgr.exe (file missing)
O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINNT\fi49.exe (file missing)
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: sdktemp - Unknown owner - C:\WINNT\sdktemp.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINNT\taskbarmngr.exe (file missing)



Thanks to any and all in advance for help. Will try to log in later to look for some help.

BC AdBot (Login to Remove)

 


#2 diespy

diespy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 13 August 2005 - 04:55 PM

Replying to own thread here ... I realized I was running an old version of Ad-Aware, downloaded latest version and definintions, and re-ran this along with AVG and spybot. New version of Ad-Aware came up with tons of problems which I fixed. Spybot remains unable to remove a couple of "Wild Tangent" problems as it says they are in use by another program. Alas, the problems with IE (unalbe to access secure sites, unable to change activeX controls to allow use and make it stick) still persist after all of this.

New HJT log after doing the above ... any thoughts?

Logfile of HijackThis v1.99.1
Scan saved at 2:44:04 PM, on 8/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\msrouter.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_DPPE03.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10MT2.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10RN2.EXE
C:\WINNT\explorer.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [USB Updatess] msrouter.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [USB Updatess] msrouter.exe
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [USB Updatess] msrouter.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112157601597
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF2D339B-581B-40F3-84C5-A510DA9600D8}: NameServer = 192.168.0.1
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\System32\libsysmgr.exe (file missing)
O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINNT\fi49.exe (file missing)
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: sdktemp - Unknown owner - C:\WINNT\sdktemp.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINNT\taskbarmngr.exe (file missing)

Thank you!

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 AM

Posted 14 August 2005 - 01:08 PM

Hi diespy,

Welcome to BC and sorry for the delay.

You've got a pretty nasty infection and may have been root kitted. I'm going to have to research this a little more but in the meantime here's what you can do to help yourself and to help me help you.

Update and run a full system scan with AVG in Safe Mode. Do the same for Ad-Aware--update it and run it in safe mode. If you are still running Spybot version 1.3, uninstall it, download and install version 1.4. Run it in safe mode also.

Spybot download

Also make sure the programs ar configured according to the following tutorials:

Ad-Aware Tutorial
Spybot - S&D Tutorial


Then please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the following files and click Submit (if they are still there and you can see them). You will only be able to have one file scanned at a time. Please post back the results of the scan in your next post.

[b]C:\WINNT\System32\msrouter.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\serviceswu.exe
C:\WINNT\System32\msfirewalls.exe

Also scan again with HijackThis and post another log.

The thing about people

is they change

when they walk away.--Mipso


#4 diespy

diespy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 15 August 2005 - 03:11 AM

Help arrives! Thanks.

So, I have updated spybot, ran all three programs as you instructed. Found a couple of new things, but same problems persist.

Of the files you listed, I could only find C:\WINNT\System32\SK9910DM.EXE which was OK.

The other three ...
C:\WINNT\System32\msrouter.exe
C:\WINNT\System32\serviceswu.exe
C:\WINNT\System32\msfirewalls.exe

were not visible in the window, nor could I find them doing a search of hidden files and folders and system files (scanned c drive). There was a msfirewalls picked up within one of the registry backups for spybot, and a file named MSROUTER.EXE_0B119732.pf within the file c:\WINNT\prefetch (which I scanned on jotti, nothing there either. No reference to serviceswu anywhere on the computer (yet picks up all 3 on HJT again)

... not sure if any of that helps you or not, clearly I am lost.

Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:35:43 AM, on 8/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\msrouter.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [USB Updatess] msrouter.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [USB Updatess] msrouter.exe
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [USB Updatess] msrouter.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112157601597
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF2D339B-581B-40F3-84C5-A510DA9600D8}: NameServer = 192.168.0.1
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\System32\libsysmgr.exe (file missing)
O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINNT\fi49.exe (file missing)
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: sdktemp - Unknown owner - C:\WINNT\sdktemp.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINNT\taskbarmngr.exe (file missing)

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 AM

Posted 15 August 2005 - 02:36 PM

OK, that's a little better but you still have a ways to go.

Let's try this:

1. First I would like to get a first hand look at some of those files.

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and select copy. Include the ones you can "see" in Safe Mode, skip the rest.

C:\WINNT\fi49.exe
C:\WINNT\System32\msrouter.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\serviceswu.exe
C:\WINNT\System32\msfirewalls.exe

Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to diespy.cab.

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to diespy.cab on your desktop. Click on the Send File button.

Also send me a copy attached to an email at papakid at myway.com.

2. Using Firefox, go to the following page to start the process of downloading the Malicious Software Removal Tool:
http://www.microsoft.com/security/malwareremove/default.mspx

*Down a bit on the right, click Download the Tool.
*Click the Dowpnload button and save the file to your your Desktop. The name of the file should be something like Windows-KB890830-V1.7-ENU.exe.

3. Download and install the trial version of Ewido Security Suite.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch Ewido by double-clicking the desktop icon.
- You will get a message that the database could not be found. This is normal-- click the OK button.
- The program will now go to the main screen.
- On the left hand side of the main screen click update.
- Click on Start update.
- The update will start and a progress bar will show the updates being installed.
Once the updates are installed close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

4. Now download WinPFind.zip and unzip the contents to the C:\ folder.

5. Boot into Safe Mode.

6. Run the Malicious Software Removal Tool by double clicking the file you saved to your desktop.

7. When that's done, reboot back into safe mode, scan again with HijackThis and save the log to post later.

8. Open ewido and Click on scanner
[*]Click on Complete System Scan and the scan will begin.
[*]NOTE: During some scans with ewido it is finding cases of false positives.**
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
[*]Once the scan has completed, there will be a button located on the bottom of the screen named Save report
[*]Click Save report.
[*]Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

9. This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Step 3: Delete Prefetch:
Navigate to the C:\WINDOWS\Prefetch folder and delete all its contents.

10. Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here.

11. Reboot back into normal mode.

12. If you can access the page and download the ActiveX Control, scan with Panda Active Scan and save the log.
http://www.pandasoftware.com/products/acti...n_principal.htm

13. Try this online scan under Firefox:
Trend Micro Housecall - http://uk.trendmicro-europe.com/enterprise...call_launch.php

14. Scan again with HijackThis and post the log.

So what I will need to see from you when you post back is--

1. A HJT log from safe mode after running the removal tool.
2. Ewido log
3. WinPfind log
4. Log from online scanner, if possible
5. Final HJT log.

If you have any problems with any of these steps, skipit and go on to the next one or post back here if you get stuck.
:thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#6 diespy

diespy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 16 August 2005 - 03:53 AM

So, this kept me busy for most of the day with this. I was able to do most of it, but a few problems came up. First some observations.

Sent you the submit files packer results both to BC and your e-mail. But not sure I did it right (as I explained in both). Let me know if I screwed it up.

java script:emoticon(':wacko:')
smilieThe microsoft malware program did not find anything, but did point out that I was NOT using service pack 2 (thus answering my question at the beginning of this entire thread). I am not sure where to go next with this. I spent an appreciable amount of time trying to download SP2 today but no luck. I feel like I am stuck in a endless loop scenario. To download SP2 I need to use IE (tried with firefox, my new favorite program ... sad but true, but to no avail). I cannot get IE to work properly. I have been sucessful in getting it to allow me to change security settings (it now prompts to allow activeX controls) but every time after I say yes, I get the error message "Your current security settings prohibit running ActiveX controls on this page. As a result the page may not display properly." Because of this the microsoft will not allow me to download SP2. Maybe I am just totally missing something obvious?? It looks like IE should have an "information bar" (which I have never ever seen on IE on this computer). When I look on the microsoft site it says I need to download SP2 for IE updates in order to have the information bar in order to download activeX controls ... so I go round and round). I am running IE 6.0, but when I was trying to download one I.E. update (from microsoft) it tells me I need IE 5.0 or greater to download (last I checked 6.0>5.0). I am honestly wondering if there is simply something corrupted in my IE program and if maybe uninstalling it and starting over with my program disks (I think it was IE5 intitially) to see if that will allow me to do anything (what do you think?? Good idea? bad idea?)

All of my IE issues aside (and as you see above, I am starting to doubt it is malware related) I have continued to find large numbers of problems, so no doubt malware is all over my system.

What is the file c:\winnt\prefetch for? I deleted it as you instructed, but just curoius what it is?

The only 2 things I was unable to do in your instructions were to run Panda Active Scan (see the activeX issues above), and when I run WinPFind I get a "file not found" error though it does open up the program. If I click start scan anyway, I get an error "Access violation at address 044C3IF in module 'WinPFind.exe' read of address 00000004'. I tried it several times. At one point rather than saving then unziping I just unzipped outside of safe mode and the program started running but suddenly all of my virtual memory was used ap and the system came to a screeching halt. Bottom line, I couldn't get WinPFind to work.

So, I am not sure if any of the above description is in any way helpful, but without further yammering, here are the logs you asked for.

HJT log after running MS removal tool:
Logfile of HijackThis v1.99.1
Scan saved at 5:18:34 PM, on 8/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [USB Updatess] msrouter.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [USB Updatess] msrouter.exe
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [USB Updatess] msrouter.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112157601597
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF2D339B-581B-40F3-84C5-A510DA9600D8}: NameServer = 192.168.0.1
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\System32\libsysmgr.exe (file missing)
O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINNT\fi49.exe (file missing)
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: sdktemp - Unknown owner - C:\WINNT\sdktemp.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINNT\taskbarmngr.exe (file missing)

Ewido.log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:36:36 PM, 8/15/2005
+ Report-Checksum: 2ED850EF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\kddsfj.exe/re11.REG -> Trojan.LowZones.a : Error during cleaning
C:\msfirefix.exe -> Trojan.LowZones.d : Cleaned with backup
C:\ns2.exe/re11.REG -> Trojan.LowZones.a : Error during cleaning
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008105.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008108.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008109.dll -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008110.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008169.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008178.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008187.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008193.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008205.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008216.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP57\A0008219.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP59\A0008358.dll -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP59\A0008387.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP59\A0008388.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP60\A0008398.dll -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP60\A0008399.dll -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP60\A0008400.dll -> Trojan.Pakes : Cleaned with backup
C:\up\re11.REG -> Trojan.LowZones.a : Cleaned with backup
C:\upd.exe/re11.REG -> Trojan.LowZones.a : Error during cleaning
C:\updates.exe -> Trojan.LowZones.d : Cleaned with backup
C:\updatesp.exe -> Trojan.LowZones.as : Cleaned with backup
C:\WINDOWS\re11.REG -> Trojan.LowZones.a : Cleaned with backup
C:\WINNT\system32\msrouter.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINNT\system32\TFTP2716 -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\TFTP2876 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINNT\system32\TFTP3172 -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\TFTP3920 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup


::Report End

WinPFind log ... as I said, could not do.

Trend micro housecall log: found 6 problems (does not make a log). WOndering if these are all actually backups created by Ewido howerver. All of these files were in C:\System Volume Information\_restore{193A1C-0A70-478B-8107-B531B8E70CAB}\RP62\ then each had a unique file. This included 5 lowzone registries and trojans and one WORM_RBOT.GEN In any case, I cleaned them, but it was unable to delete 2 files, both = TROJ_LOWZONES.DI. ... path as above, final file extension was A0008513.exe


And final HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:35 AM, on 8/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112157601597
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF2D339B-581B-40F3-84C5-A510DA9600D8}: NameServer = 192.168.0.1
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINNT\fi49.exe (file missing)
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: sdktemp - Unknown owner - C:\WINNT\sdktemp.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINNT\taskbarmngr.exe (file missing)



Wow, its late (again). Next move?

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 AM

Posted 16 August 2005 - 02:15 PM

Post withdrawn. Give me a few minutes for some corrections. :thumbsup:

Edited by Papakid, 16 August 2005 - 02:28 PM.

The thing about people

is they change

when they walk away.--Mipso


#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 AM

Posted 16 August 2005 - 02:50 PM

Hi diespy,

My apologies for not letting you know that you should hold off on updating to SP2 and that you have a severely compromised system. The malware you have is preventing you from updating and interfering with IE and tools like PFind we are trying to run.

What you should be considering at this time is backing up your important data and reformatting and reinstalling Windows. I'm going to consult with my colleagues to see if we are at that point yet. We may be able to get you running normally again, but if I were you I would begin making backups to your data right now and put in an order for the SP2 CD so you can have it on hand if you do need to reformat.
http://www.microsoft.com/windowsxp/downloa...us/default.mspx

We're going to give a shot at getting you cleaned up, but even if we're successful you should still consider a reformat. I'm pretty sure you are suffering from a root kit and they are extremely difficult find and remove and to be sure they are completely gone.

Here are some of the infections or variants thereof you still have running:
http://www.sophos.com/virusinfo/analyses/w32tilebota.html
http://www.sophos.com/virusinfo/analyses/w32sdbotxb.html

Info on root kits:
http://en.wikipedia.org/wiki/Root_kit
http://www.sysinternals.com/utilities/rootkitrevealer.html

Actually we've made some progress. You seem to have gotten rid of some other malware with each session. So let's try this.

1. Download the fix.reg file attached below and save it to your desktop.

2. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

3. Boot into safe mode.

4. Double click fix.reg and allow it to merge with your registry.

5. Please double click on the RegLite icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the entire following bold text into the address field of Registrar Lite and click Go..

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

You will be taken right to that key in the left pane, values in the right.

In the right pane, right click the following and then choose delete.

ProcessEnumerator32 (pe32)
sdktemp

Exit RegLite.

6. Scan again with HijackThis 1.99.1. Put a checkmark by the following entries, double-checking to be sure that only these entries are checked:

O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c32.cab
O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINNT\fi49.exe (file missing)
O23 - Service: sdktemp - Unknown owner - C:\WINNT\sdktemp.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINNT\taskbarmngr.exe (file missing)

Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

7. Delete these files if found. If you have a problem deleting them, reboot back into safe mode and try again. Make a note of which ones you can't find at all.

C:\WINNT\System32\msrouter.exe
C:\WINNT\System32\serviceswu.exe
C:\WINNT\System32\msfirewalls.exe
C:\WINNT\fi49.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\sdktemp.exe
C:\WINNT\taskbarmngr.exe

8. Reboot back into safe mode.

9. Run ewido again and save the log.

10. See if you can run PFind now. Be sure that WinPFind.exe has been unzipped and is located in the root directory of C. To get to the root directory of C click My Computer, right click the hard drive icon and click Explore.

11. Reboot back into normal mode.

12. Scan again with HijackThis and post a new log.

13. Download rootkitrevealer: http://www.sysinternals.com/utilities/rootkitrevealer.html
Unzip it and click the scan button.
When the scan is done, click File > save on top of the menu.
Save the log and post it in your next reply.

Post the logs and let's see how we are doing. Check to see if Internet Explorer is behaving any better and just if there is any improvement generally. Again post back if you get hung up on any step.

Attached Files

  • Attached File  fix.reg   165bytes   4 downloads

The thing about people

is they change

when they walk away.--Mipso


#9 diespy

diespy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 17 August 2005 - 03:28 PM

Hi papakid,

I have been too pressed for time to get all of this done, but getting there ... hope you don't lose interest. Am down to the last step and will run that tonight and post again. I was able to get WinPFind to work this time (progress) and the system a whole seems to be working a bit faster (again, some progress).

Will post the logs later and try out IE again.

Thanks! :thumbsup:

#10 diespy

diespy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 18 August 2005 - 12:57 AM

So still same 2 problems with IE, now asking if OK to load activeX controls (per my security settings) then tells me that my security settings do not allow them. Still can't connect to secure sites.

The lists from prior post --

All deleted:

O4 - HKLM\..\RunServices: [Camra Updates] serviceswu.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c32.cab
O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINNT\fi49.exe (file missing)
O23 - Service: sdktemp - Unknown owner - C:\WINNT\sdktemp.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINNT\taskbarmngr.exe (file missing)

-----
C:\WINNT\System32\msrouter.exe = could not fine
C:\WINNT\System32\serviceswu.exe = could not find
C:\WINNT\System32\msfirewalls.exe = could not find
C:\WINNT\fi49.exe = deleted (file actually called fi49.exe-up ... hope that was OK)
C:\WINNT\System32\SK9910DM.EXE = deleted
C:\WINNT\sdktemp.exe = could not find
C:\WINNT\taskbarmngr.exe = could not find

and the logs:

ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:43:47 PM, 8/16/2005
+ Report-Checksum: 783134C9

+ Scan result:

:mozilla.18:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\d2gp3dar.default\cookies.txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008510.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008511.exe -> Trojan.LowZones.d : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008512.REG -> Trojan.LowZones.a : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008513.exe -> Trojan.LowZones.d : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008514.exe -> Trojan.LowZones.as : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008515.REG -> Trojan.LowZones.a : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008516.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008532.exe/re11.REG -> Trojan.LowZones.a : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008533.exe/re11.REG -> Trojan.LowZones.a : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP62\A0008534.exe/re11.REG -> Trojan.LowZones.a : Cleaned with backup


::Report End
--------------------
WinPFind log (holy cow this is a long one):
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 5/22/2005 8:22:18 PM 132505600 C:\WINNT\MEMORY.DMP

Checking %System% folder...
SAHAgent 7/26/2005 1:56:18 PM 35 C:\WINNT\SYSTEM32\70tovmto.ini
SAHAgent 7/26/2005 1:56:18 PM 35 C:\WINNT\SYSTEM32\bln02nqv.ini
PEC2 8/23/2001 5:00:00 AM 41397 C:\WINNT\SYSTEM32\dfrg.msc
SAHAgent 8/12/2005 9:41:04 PM 3274 C:\WINNT\SYSTEM32\gah95on6.ini
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
qoologic 11/22/2004 5:43:48 PM 7296845 C:\WINNT\SYSTEM32\pav.sig
aspack 11/22/2004 5:43:48 PM 7296845 C:\WINNT\SYSTEM32\pav.sig
SAHAgent 11/22/2004 5:43:48 PM 7296845 C:\WINNT\SYSTEM32\pav.sig
winsync 11/22/2004 5:43:48 PM 7296845 C:\WINNT\SYSTEM32\pav.sig
Umonitor 8/23/2001 5:00:00 AM 630784 C:\WINNT\SYSTEM32\rasdlg.dll
winsync 8/23/2001 5:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 7/23/2005 9:19:46 AM 668704 C:\WINNT\SYSTEM32\drivers\avg7core.sys
FSG! 7/23/2005 9:19:46 AM 668704 C:\WINNT\SYSTEM32\drivers\avg7core.sys
aspack 7/23/2005 9:19:46 AM 668704 C:\WINNT\SYSTEM32\drivers\avg7core.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/17/2005 12:12:02 AM 2048 C:\WINNT\bootstat.dat
H 8/1/2005 10:21:10 PM 54156 C:\WINNT\QTFont.qfn
H 7/20/2005 9:51:18 PM 0 C:\WINNT\LastGood\INF\oem29.inf
H 7/20/2005 9:51:18 PM 0 C:\WINNT\LastGood\INF\oem29.PNF
H 8/7/2005 12:01:00 PM 0 C:\WINNT\LastGood\INF\oem30.inf
H 8/7/2005 12:01:00 PM 0 C:\WINNT\LastGood\INF\oem30.PNF
H 8/15/2005 12:11:40 PM 0 C:\WINNT\LastGood\INF\q831167.inf
H 8/15/2005 12:11:40 PM 0 C:\WINNT\LastGood\INF\q831167.PNF
H 8/17/2005 12:11:52 AM 8192 C:\WINNT\system32\config\default.LOG
H 8/17/2005 12:12:18 AM 1024 C:\WINNT\system32\config\SAM.LOG
H 8/17/2005 12:12:04 AM 16384 C:\WINNT\system32\config\SECURITY.LOG
H 8/17/2005 12:13:14 AM 86016 C:\WINNT\system32\config\software.LOG
H 8/17/2005 12:12:02 AM 905216 C:\WINNT\system32\config\system.LOG
H 8/15/2005 5:17:08 PM 1024 C:\WINNT\system32\config\systemprofile\NTUSER.DAT.LOG
SH 8/10/2005 7:42:50 AM 67 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LGY8I6Y\desktop.ini
SH 8/10/2005 7:42:50 AM 67 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CR4FIN0B\desktop.ini
SH 8/10/2005 7:42:50 AM 67 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G5QRGD2B\desktop.ini
SH 8/10/2005 7:42:50 AM 67 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OX2VK9YN\desktop.ini
SH 8/7/2005 2:33:28 PM 388 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\69e2bc03-6014-4985-8dca-0ca092eb95f3
SH 8/7/2005 2:33:28 PM 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\Preferred
SH 7/20/2005 10:10:02 PM 388 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\1929283d-df87-4fa5-974b-d7fcf4595940
SH 7/20/2005 10:10:02 PM 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H 8/17/2005 12:11:00 AM 6 C:\WINNT\Tasks\SA.DAT
SH 7/24/2005 10:11:42 PM 67 C:\WINNT\Temp\Temporary Internet Files\Content.IE5\0D23SH6J\desktop.ini
SH 7/24/2005 10:11:42 PM 67 C:\WINNT\Temp\Temporary Internet Files\Content.IE5\EOY560FD\desktop.ini
SH 7/24/2005 10:11:42 PM 67 C:\WINNT\Temp\Temporary Internet Files\Content.IE5\PHRSB3VW\desktop.ini
SH 7/24/2005 10:11:42 PM 67 C:\WINNT\Temp\Temporary Internet Files\Content.IE5\VY9STNMA\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/18/2001 11:00:00 AM 66048 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 558592 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 130048 C:\WINNT\SYSTEM32\desk.cpl
8/14/1997 1:00:00 AM 22528 C:\WINNT\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 8/23/2001 5:00:00 AM 150016 C:\WINNT\SYSTEM32\hdwwiz.cpl
Intel Corporation 11/7/2001 9:11:24 AM 94208 C:\WINNT\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 119808 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 65536 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 187904 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 559616 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 35840 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 256000 C:\WINNT\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 36864 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 109056 C:\WINNT\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 12/10/2001 5:07:40 PM 24576 C:\WINNT\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 3/30/2000 7:00:32 PM 250880 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 270848 C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 28160 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 90112 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 8/18/2001 11:00:00 AM 66048 C:\WINNT\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 558592 C:\WINNT\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 130048 C:\WINNT\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 150016 C:\WINNT\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 119808 C:\WINNT\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 65536 C:\WINNT\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 187904 C:\WINNT\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 559616 C:\WINNT\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 35840 C:\WINNT\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 256000 C:\WINNT\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 36864 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 109056 C:\WINNT\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/18/2001 11:00:00 AM 147456 C:\WINNT\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 270848 C:\WINNT\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 28160 C:\WINNT\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 90112 C:\WINNT\SYSTEM32\dllcache\timedate.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/9/2002 10:07:36 PM 881 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
2/11/2002 9:44:52 PM 1721 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
8/9/2005 11:47:00 PM 1518 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/17/2005 12:05:36 AM 7 C:\Documents and Settings\All Users\Application Data\DirectCDUserName.txt
7/21/2004 3:58:34 PM 184 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINNT\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Keyboard Preload Check C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
Ink Monitor C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
IgfxTray C:\WINNT\System32\igfxtray.exe
HPDJ Taskbar Utility C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
HotKeysCmds C:\WINNT\System32\hkcmd.exe
Hot Key Kbd 9910 Daemon SK9910DM.EXE
GWMDMpi C:\WINNT\GWMDMpi.exe
GWMDMMSG GWMDMMSG.exe
D-Link AirPlus G C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
ANIWZCS2Service C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
RegistryMechanic
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINNT\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/17/2005 4:20:02 AM


----------------------

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:11:26 PM, on 8/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112157601597
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF2D339B-581B-40F3-84C5-A510DA9600D8}: NameServer = 192.168.0.1
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

----------------

and finally rootkitrevealer log ... which I ran twice in a row (because I misplaced the first saved file, interesting to me that the results are so different, maybe not to you?) Question ... do I need to run this in all of the XP user accounts ... or in administrator in safe mode? I ask because as you can see much of what it finds is located in documents and settings\Heather and there is nothing in other user accounts, I ran it while logged in as Heather:

first run:
C:\Documents and Settings\Heather\Local Settings\Temp\AAX8.tmp 8/17/2005 9:23 PM 27.85 KB Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\AAX9.tmp 8/17/2005 9:23 PM 32.79 KB Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\TempFolder.aaa 8/17/2005 9:22 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\TempFolder.aaa\dirapi.dll 8/17/2005 9:22 PM 1.05 MB Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\TempFolder.aaa\iml32.dll 8/17/2005 9:22 PM 548.00 KB Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\TempFolder.aaa\Macromedia.lok 8/17/2005 9:22 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\TempFolder.aaa\msvcrt.dll 8/17/2005 9:22 PM 260.05 KB Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\TempFolder.aaa\proj.dll 8/17/2005 9:22 PM 156.00 KB Hidden from Windows API.
C:\WINNT\Prefetch\MKSAP.EXE-160677BE.pf 8/17/2005 9:22 PM 4.11 KB Hidden from Windows API.
C:\WINNT\system32\tmp995FC.FOT 8/17/2005 9:23 PM 1.38 KB Hidden from Windows API.
C:\WINNT\system32\tmpED10D.FOT 8/17/2005 9:23 PM 1.38 KB Hidden from Windows API.
C:\WINNT\Temp\ppbAB.tmp 5/5/2005 8:21 PM 172.00 KB Hidden from Windows API.

Second run:
C:\Documents and Settings\Heather\Local Settings\Temp\AAX10.tmp 8/17/2005 10:31 PM 27.85 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Heather\Local Settings\Temp\AAX11.tmp 8/17/2005 10:31 PM 32.79 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Heather\Local Settings\Temp\AAX8.tmp 8/17/2005 9:23 PM 27.85 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Heather\Local Settings\Temp\AAX9.tmp 8/17/2005 9:23 PM 32.79 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Heather\Local Settings\Temp\AAXE.tmp 8/17/2005 10:19 PM 27.85 KB Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\AAXF.tmp 8/17/2005 10:19 PM 32.79 KB Hidden from Windows API.
C:\Documents and Settings\Heather\Local Settings\Temp\valB.tmp 8/17/2005 10:13 PM 65.00 KB Hidden from Windows API.
C:\WINNT\system32\tmp27BB0.FOT 8/17/2005 10:19 PM 1.38 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\system32\tmp65B7B.FOT 8/17/2005 10:31 PM 1.38 KB Visible in directory index, but not Windows API or MFT.
C:\WINNT\system32\tmp7D2B0.FOT 8/17/2005 10:19 PM 1.38 KB Visible in Windows API, MFT, but not in directory index.
C:\WINNT\system32\tmp995FC.FOT 8/17/2005 9:23 PM 1.38 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\system32\tmpD26BB.FOT 8/17/2005 10:31 PM 1.38 KB Visible in directory index, but not Windows API or MFT.
C:\WINNT\system32\tmpED10D.FOT 8/17/2005 9:23 PM 1.38 KB Visible in Windows API, but not in MFT or directory index.
C:\WINNT\Temp\ppbAB.tmp 5/5/2005 8:21 PM 172.00 KB Hidden from Windows API.



[Long exhale .... ]

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 AM

Posted 18 August 2005 - 02:06 PM

OK, diespy, you can inhale now. :thumbsup:

Looks like you lucked out on the rootkit. And your HijackThis log is clean. PFind found some more bad files that we will deal with in a bit, but no more bad reg entries that I can see which is good.

What you need to do ASAP is to install a firewall. Else you're going to continue to get hacked. And we're going to see if we can get you updated to SP1a so you aren't so vulnerable to reinfection.

Some good free firewalls to choose from are these:

Sygate Personal Firewall
Kerio Personal Firewall
ZoneAlarm

Understanding and Using Firewalls

I'll have some questions and want to look into some other stuff at the end of this post, but for now do this:

1. Download killbox from here:

KillBox

Unzip the folder to your desktop.


*Start Killbox.exe
*Select the Delete on reboot option.
*Copy the complete text in bold below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\System32\70TOVMTO.INI
C:\WINNT\System32\BLN02NQV.INI
C:\WINNT\System32\GAH95ON6.INI


*Go to the File menu of Killbox, and choose "Paste from Clipboard".
*Click the "Delete File" button that is a red-and-white X. When asked if you want to delete these files say Yes. When asked if you want to reboot now, say No.
*Exit Killbox.

2. Download System Security Suite here:
System Security Suite Download.

Unzip it to your desktop and install the program.

A. Open System Security Suite (3S).
B. In the Items to Clear tab make sure the following are checked:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

3. Scan again with HijackThis and check the following entry--it's not a baddie but is useless and the trusted zone can backfire on you:

O15 - Trusted Zone: http://*.windowsupdate.com

With all other windows closed, click Fix Checked then close HijackThis.

4. Reboot.

5. Log into each user account you have set up and run 3S in the same way by navigating to the following file:
C:\Program Files\System Security Suite 1.04\sss.exe

Double Click to run it and you can allow it to reboot your system when it's done.

6. Log back into the Heather account. Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post. On second thought hold off on isntalling a firewall and any more updates. There may be something in this log that will help solve your IE problems.

Then do a normal scan and make a log to post.

7. Do a search for Wininet and post back the list of files on your system and their location. This file may be damaged or the wrong version and could be causing the problem with not being able to access secure sites.

8. Finally, I made a mistake by having you delete the SK9910DM.EXE file. My apologies for that. I've zipped it up and attached it below. Extract it into the System32 folder and you should be good to go, but you can test by rebooting and see if you can change any custom mouse settings.

9. Post the logs and info I've asked for.

And to answer one of your questions, every user account could have a different HijackThis log and infection. There are many settings unique to each log on, but we've dealt with most of the stuff that is common to the machine as a whole. However there could be another avenue of reinfection on the other accounts. So let me know how many other accounts you have on your machine, if they are all admin rights accounts or not and we'll deal with them too as soon as we get to that point. Also, do you have the same problems with accessing secure sites and ActiveX Downloads when logged into the other accounts? Try running Panda Active Scan again and let me know if you are successful on any of the accounts.

The thing about people

is they change

when they walk away.--Mipso


#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 AM

Posted 18 August 2005 - 05:08 PM

Here's the attachment:

Attached Files


The thing about people

is they change

when they walk away.--Mipso


#13 diespy

diespy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 20 August 2005 - 01:28 AM

So did I misname the topic or what? Not much that is little about this!

Still could not run panda active scan because it will not allow it without being able to utilize activeX. Still cannot access secure websites. Tried on all 4 user accounts (three are real people, all three administrators, the fourth is a guest account) with the exact same results except that the guest account does not pop up the activeX error, but still hangs up there as though that is the problem ... guest account exactly the same with secure sites.

I also didn't see your "on second thought" about not putting on an additional firewall until I had already done that. So sygate is now running.

HJT uninstall log:
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Reader 6.0.1
AirPlus G
ANIO Service
ANIWZCS2 Service
Arthur's Reading Race
AVG Free Edition
Boggle
CallWave Internet Answering Machine (remove only)
Citrix ICA Web Client
CleanUp!
Disney's Lilo & Stitch Pinball
Do More
Easy CD Creator 5 Basic
EDGAR Ease
EPSON Printer Software
ewido security suite
FRED
Gateway Internet Links
Google Toolbar for Internet Explorer
GTW V.92 Modem
HelpSpot
HijackThis 1.99.1
IndyCar Series Cover Disk Demo
Ink Monitor
J2SE Runtime Environment 5.0 Update 4
JumpStart Advanced Kindergarten
JumpStart Animal Field Trip
JumpStart Arts and Crafts
JumpStart Parent Resource Center v1.0
JumpStart Preschool v2.0
JumpStart Toddlers 2000
LBT Preschool Adventure
MGI PhotoSuite
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Excel 97
Microsoft Money 2005
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Picture It! Photo 2002
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox (1.0.6)
MSN
MSN Messenger 6.0
MUSICMATCH Jukebox
NDTV Video (remove only)
OLYMPUS CAMEDIA Master 2.5
PC-Doctor for Windows
Photo Drop
Photosmart 140,240,7200,7600,7700,7900 Series
PS/2 Millennium Keyboard
QuickTime
RealPlayer Basic
Registrar Lite 2.00
Registry Mechanic 5.0
Rescue Heroes Hurricane Havoc
Rugrats™ All Growed Up
Scrabble
Sesame Street Toddler
Shockwave
Spybot - Search & Destroy 1.4
Sygate Personal Firewall
System Security Suite 1.04
TaxCut 2002
TaxCut 2003
TaxCut 2004
Thomas & Friends - Railway Adventures
Toy Story 2 Activity Center
Tweakui Powertoy for Windows XP
Wheel of Fortune Deluxe (remove only)
WinZip

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:28:18 PM, on 8/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\notepad.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112157601597
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF2D339B-581B-40F3-84C5-A510DA9600D8}: NameServer = 192.168.0.1
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

I also ran HJT on the other user accounts (have been doing ALL of the previous work either in safe mode as administrator or in Heather's account either safe or not). HJT shows in ALL three other accounts the following additional entries, but otherwise shows the entries exactly as noted above:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [USB Updatess] msrouter.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O4 - HKCU\..\Run: [MB52Rke4P] rpctpub.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

I thought I had deleted msrouter and msfirewalls, but apparently only done in the Heather account (presuming I should go obliterate in the others too?)

Finally, once upon a time, I knew just enough DOS that I could have done a search to paste here for wininet, but don't use it and lose it. So, since I cannot remember how to search without windows and can't paste pictures here, perhaps you want to refresh my memory on the DOS way to do this so I am not trying to type out 12 paths and file names?

Have a good weekend!

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 AM

Posted 20 August 2005 - 02:43 AM

Well, I hope you have a good weekend too. :thumbsup: I have to work while the sun is shining.:flowers:

So before I hit the sack, just do this for me. Make sure you still have files and folders uhidden and look in your System32 folder for Wininet.dll--right click, choose properties and tell me the date for when it was modified. Then go to Jotti and have it scanned.

You shouldn't have to use DOS to search for files. Just go to Start>Search>All files and folders. Click the arrow by More Advance Options and make sure there are checks by Search System Folders, Search Hidden Files and Folders, and Search Subfolders. This may not be necesary but I want to make sure you have a copy of wininet.dll in your dllcache folder.

You can fix those bad lines in the other accounts with HijackThis. They should just be reg entries unique to each logon but I believe the actual files are already gone. Log off then back on to each account after fixing with HijackThis and run again to see if they go away and let me know.

I'll have more for you tomorrow. :trumpet:

The thing about people

is they change

when they walk away.--Mipso


#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 AM

Posted 20 August 2005 - 01:04 PM

If jotti says your wininet.dll is infected, post back with the information I asked for in the last post.

If not infected, download WinsockXPFix and run it.
http://www.geekstogo.com/modules.php?modid...n=download&id=7

If still having the same problems after running it try this:

For ActiveX downloads, check settings in Internet Options.

Under the Security tab, click the Internet icon and then the Custom Level button.

Set Download signed ActiveX controls to prompt.
Set Run ActiveX controls and plug-ins to enable
Set Script ActiveX controls marked safe for scripting to enable

OK out of Internet Options, close Internet Explorer, reboot, then test.

If still can't access secure web sites, refer to this article and follow the steps to troubleshoot the issue. Let me know how that goes.
http://www.jsifaq.com/subM/tip6300/rh6349.htm

Stop at this point and let me know where we stand.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users