Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis And Combofix Logs


  • Please log in to reply
38 replies to this topic

#1 crazyme

crazyme

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 05 August 2006 - 08:37 PM

hi, this past monday i had some major spyware/adware/viruses and what not, basically everything out there. i have been working on trying to get my computer in order. i am going to post my combofix and hijackthis logs so i can get further help in getting my computer cleaner. also, whenever i reboot my pc, there is this update.exe file that always loads up on start, it was never there before this infection happened. when i end the process, it doesnt come back at all. when i run zonealarm for virus/spyware scans, should i delete the quarantine items? there are a lot of items in there under spyware that it says i should delete which it couldnt delete. so by deleting them from quarantine it will delete them from my pc too? i have also recently ran stinger. thanks and sorry for this long post of logs.

here is my combofix log

Start Time= Sat 08/05/2006 16:24:38.89
Running from: E:\Documents and Settings\Dil\Desktop\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\Documents and Settings\Dil\Local Settings\Temp\drsmartload180a.exe
E:\Documents and Settings\Dil\Local Settings\Temporary Internet Files\Content.IE5\PHRSB3MW\drsmartload849a[1].exe
E:\WINDOWS\uninstall_nmon.vbs
E:\WINDOWS\system32\atmtd.dll
E:\WINDOWS\system32\atmtd.dll._


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-03 23:01:32 ( .D... ) "E:\Program Files\SpywareBlaster"
2006-07-31 19:38:32 ( .D... ) "E:\Program Files\Zone Labs"
2006-07-31 06:11:16 ( .D... ) "E:\Documents and Settings\Dil\Application Data\SystemDoctor 2006 Free"
2006-07-31 05:58:52 69632 ( A.... ) "E:\WINDOWS\system32\eopilpgn.dll"
2006-07-31 05:58:28 2 ( A.... ) "E:\WINDOWS\system32\wnstssv.exe"
2006-07-31 05:57:44 ( .D... ) "E:\Program Files\Batty"
2006-07-31 05:57:40 69632 ( A.... ) "E:\WINDOWS\system32\ahgcfian.dll"
2006-07-31 05:54:40 48167 ( A.... ) "E:\WINDOWS\system32\VSL05.exe"
2006-07-31 05:54:38 61440 ( A.... ) "E:\WINDOWS\system32\iko59bc2.dll"
2006-07-31 05:54:38 1064 ( A.... ) "E:\WINDOWS\system32\iko59bc2.sys"
2006-07-31 05:54:38 1064 ( A.... ) "E:\WINDOWS\system32\iko59bc2.sys"
2006-07-31 05:54:32 235134 ( A.... ) "E:\WINDOWS\srvhwpnzru.exe"
2006-07-31 05:54:30 159744 ( A.... ) "E:\WINDOWS\system32\redist.dll"
2006-07-31 05:54:22 ( .D... ) "E:\Program Files\System Icons"
2006-07-31 05:54:22 ( .D... ) "E:\Program Files\System Files"
2006-07-31 05:53:56 ( .D... ) "E:\Program Files\Common Files\zouu"
2006-07-31 05:53:42 232749 ( A.... ) "E:\WINDOWS\pf78.exe"
2006-07-31 05:53:24 ( AD... ) "E:\Program Files\webHancer"
2006-07-31 05:53:12 45056 ( A.... ) "E:\WINDOWS\system32ghynf.exe"
2006-07-31 05:53:12 36864 ( A.... ) "E:\WINDOWS\system32n9nyb.exe"
2006-07-31 05:53:12 28672 ( A.... ) "E:\WINDOWS\system32bez6n4r21.exe"
2006-07-31 05:53:12 28672 ( A.... ) "E:\WINDOWS\system32\iqqr.exe"
2006-07-31 05:53:10 36864 ( A.... ) "E:\WINDOWS\system32\n9nyb.exe"
2006-07-31 05:53:10 28672 ( A.... ) "E:\WINDOWS\system32\bez6n4r21.exe"
2006-07-31 05:53:02 ( .D... ) "E:\Program Files\Common Files\{F8DB672E-07D9-1033-1004-040408020001}"
2006-07-30 13:19:10 ( .D... ) "E:\Program Files\QuickPar"
2006-07-21 18:55:38 127578 ( A.... ) "E:\WINDOWS\system32\tsuninst.exe"
2006-07-01 00:43:26 ( .D... ) "E:\Program Files\Sports Mogul"
2006-06-29 10:07:36 61440 ( A.... ) "E:\WINDOWS\system32\BattyRun.dll"
2006-06-25 08:57:46 ( .D... ) "E:\Program Files\Common Files\Adobe"
2006-06-12 20:02:08 ( .D... ) "E:\Documents and Settings\Dil\Application Data\Talkback"
2006-06-12 20:00:06 ( .D... ) "E:\Documents and Settings\Dil\Application Data\Thunderbird"
2006-06-12 19:59:40 ( .D... ) "E:\Program Files\Mozilla Thunderbird"
2006-06-09 06:18:56 49152 ( A.... ) "E:\WINDOWS\system32\pmnnn.exe"
2006-06-08 22:26:10 13837 ( A.SH. ) "E:\WINDOWS\system32\ssqrsqr.dll"
2006-06-07 13:55:52 3753 ( A.... ) "E:\Program Files\html2.htm"
2006-06-07 13:55:52 3626 ( A.... ) "E:\Program Files\html1.htm"
2006-05-31 17:52:58 395032 ( A.... ) "E:\WINDOWS\system32\vsdatant.sys"
2006-05-31 17:52:44 75776 ( A.... ) "E:\WINDOWS\zllsputility.exe"
2006-05-31 17:51:58 71672 ( A.... ) "E:\WINDOWS\system32\zlcommdb.dll"
2006-05-31 17:51:56 83960 ( A.... ) "E:\WINDOWS\system32\zlcomm.dll"
2006-05-31 17:51:54 100344 ( A.... ) "E:\WINDOWS\system32\vsxml.dll"
2006-05-31 17:51:54 59384 ( A.... ) "E:\WINDOWS\system32\vswmi.dll"
2006-05-31 17:51:52 440312 ( A.... ) "E:\WINDOWS\system32\vsutil.dll"
2006-05-31 17:51:46 268280 ( A.... ) "E:\WINDOWS\system32\vspubapi.dll"
2006-05-31 17:51:46 71672 ( A.... ) "E:\WINDOWS\system32\vsregexp.dll"
2006-05-31 17:51:44 104440 ( A.... ) "E:\WINDOWS\system32\vsmonapi.dll"
2006-05-31 17:51:42 157688 ( A.... ) "E:\WINDOWS\system32\vsinit.dll"
2006-05-31 17:51:38 83960 ( A.... ) "E:\WINDOWS\system32\vsdata.dll"
2006-05-31 17:51:20 796584 ( A.... ) "E:\WINDOWS\system32\libeay32_0.9.6l.dll"
2005-05-30 16:05:08 6030 ( A.... ) "E:\Program Files\DeIsL1.isu"
2004-05-12 19:56:02 54784 ( A.... ) "E:\Program Files\Asmi8705.dll"
2004-05-10 11:15:32 58880 ( A.... ) "E:\Program Files\Asmi697h.dll"
2004-04-15 17:31:58 84992 ( A.... ) "E:\Program Files\coDmi.dll"
2004-04-15 16:58:56 57344 ( A.... ) "E:\Program Files\AsmiEHFA.dll"
2004-04-08 14:02:46 58880 ( A.... ) "E:\Program Files\AsmiTHFA.dll"
2004-04-02 15:34:04 37888 ( A.... ) "E:\Program Files\AsmiEnum.dll"
2004-03-16 16:17:42 28160 ( A.... ) "E:\Program Files\AsmiSpch.dll"
2003-12-09 18:25:02 35328 ( A.... ) "E:\Program Files\AsGetDmi.dll"
2003-12-01 16:23:38 54784 ( A.... ) "E:\Program Files\Asmi8712.dll"
2003-11-28 11:53:48 59392 ( A.... ) "E:\Program Files\Asmi627h.dll"
2003-11-11 17:48:48 683 ( A.... ) "E:\Program Files\AsusPb.ini"
2003-09-23 11:44:32 535040 ( A.... ) "E:\Program Files\COLM7578.DLL"
2003-07-16 19:28:16 62976 ( A.... ) "E:\Program Files\AsmiAsus.dll"
2003-07-15 10:42:44 56832 ( A.... ) "E:\Program Files\Asmi366.dll"
2003-05-28 22:06:06 59904 ( A.... ) "E:\Program Files\AsmiM192.dll"
2003-05-28 20:25:04 31232 ( A.... ) "E:\Program Files\AsmiIntl.dll"
2003-05-13 15:40:10 31232 ( A.... ) "E:\Program Files\AsmiHwIo.dll"
2003-04-17 20:36:00 29184 ( A.... ) "E:\Program Files\AsmiNvi2.dll"
2003-03-25 13:45:00 37888 ( A.... ) "E:\Program Files\ASMIDMI.DLL"
2002-12-06 16:07:48 617984 ( A.... ) "E:\Program Files\AsusProb.exe"
2002-11-27 20:52:54 29696 ( A.... ) "E:\Program Files\AsmiVia.dll"
2002-09-11 16:38:24 52224 ( A.... ) "E:\Program Files\ASUS.DLL"
2002-07-22 20:57:24 53760 ( A.... ) "E:\Program Files\AsmiAspm.dll"
2001-11-19 15:55:04 31232 ( A.... ) "E:\Program Files\ASMISIS.DLL"
2001-11-14 11:28:28 29184 ( A.... ) "E:\Program Files\AsmiIntO.dll"
2001-10-12 15:35:22 29184 ( A.... ) "E:\Program Files\AsmiAmd.dll"
2001-09-26 11:26:56 29184 ( A.... ) "E:\Program Files\AsmiNvid.dll"
2001-09-10 11:28:26 90624 ( A.... ) "E:\Program Files\CODISK.DLL"
2001-08-30 15:19:40 54272 ( A.... ) "E:\Program Files\Asmi630E.dll"
2001-08-16 15:30:10 31232 ( A.... ) "E:\Program Files\ASMIALI.DLL"
2001-07-26 16:58:46 47 ( A.... ) "E:\Program Files\ACMonitor_X73.ini"
2001-07-05 12:46:44 8116 ( A.... ) "E:\Program Files\OSLO3071b2.USB"
2001-05-11 11:39:16 53248 ( A.... ) "E:\Program Files\ACMonitor_X73.exe"
2001-05-08 16:36:42 114688 ( A.... ) "E:\Program Files\lxarscan.dll"
2001-04-23 14:22:14 1437 ( A.... ) "E:\Program Files\gtx73.ini"
2001-02-22 09:54:36 768 ( A.... ) "E:\Program Files\x73_lut.dat"
2001-01-04 14:56:16 55296 ( A.... ) "E:\Program Files\Asmi686A.dll"
2000-10-03 14:20:14 27648 ( A.... ) "E:\Program Files\ASMICTRL.DLL"
2000-09-07 21:17:18 54784 ( A.... ) "E:\Program Files\Asmi5953.dll"
2000-06-14 18:28:46 31232 ( A.... ) "E:\Program Files\ASMIAHD.DLL"
2000-05-18 21:02:26 55808 ( A.... ) "E:\Program Files\ASMILM78.DLL"
1999-11-22 18:24:10 15872 ( A.... ) "E:\Program Files\RECHI.DLL"
1999-11-22 18:23:58 18944 ( A.... ) "E:\Program Files\REENG.DLL"
1999-08-21 11:29:46 118784 ( A.... ) "E:\Program Files\Cooling.exe"
1999-08-21 11:21:00 7869 ( A.... ) "E:\Program Files\IDLEHLT.VXD"
1999-05-12 11:56:28 55808 ( A.... ) "E:\Program Files\ASMI5952.DLL"
1999-04-27 20:15:44 16896 ( A.... ) "E:\Program Files\COLMICO.DLL"
1999-03-05 09:53:02 57344 ( A.... ) "E:\Program Files\ASMI5951.DLL"
1999-03-05 09:49:06 57344 ( A.... ) "E:\Program Files\ASMI782D.DLL"
1999-03-05 09:48:00 55808 ( A.... ) "E:\Program Files\ASMI781D.DLL"
1999-01-14 10:47:32 33280 ( A.... ) "E:\Program Files\ASUSAHD.DLL"
1998-11-20 02:57:24 18944 ( A.... ) "E:\Program Files\DISKICO.DLL"
1998-10-27 17:06:36 28160 ( A.... ) "E:\Program Files\ICON.DLL"
1998-10-20 04:18:24 21504 ( A.... ) "E:\Program Files\PROBUNIS.DLL"
1998-10-12 13:08:56 1394 ( A.... ) "E:\Program Files\ASUS.AHD"
1998-09-22 10:00:16 18944 ( A.... ) "E:\Program Files\RESOURCE.DLL"
1998-09-19 06:46:20 16896 ( A.... ) "E:\Program Files\MAINICON.DLL"
1998-08-20 02:42:38 9216 ( A.... ) "E:\Program Files\STRENG.DLL"
1998-08-20 02:42:08 99840 ( A.... ) "E:\Program Files\STRTC.DLL"
1998-08-18 08:17:40 29696 ( A.... ) "E:\Program Files\GETDMI.DLL"

Rootkit driver pe386 is present. A rootkit scan is required

Rootkit driver msguard is present. A rootkit scan is required


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-31 23:25 1,610,612,736 E:\pagefile.sys
2006-07-31 19:38 83,960 E:\WINDOWS\system32\zlcomm.dll
2006-07-31 19:38 796,584 E:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-07-31 19:38 77,824 E:\WINDOWS\system32\driverif.dll
2006-07-31 19:38 75,776 E:\WINDOWS\zllsputility.exe
2006-07-31 19:38 733,236 E:\WINDOWS\system32\vete.dll
2006-07-31 19:38 71,672 E:\WINDOWS\system32\zlcommdb.dll
2006-07-31 19:38 71,672 E:\WINDOWS\system32\vsregexp.dll
2006-07-31 19:38 59,384 E:\WINDOWS\system32\vswmi.dll
2006-07-31 19:38 395,032 E:\WINDOWS\system32\vsdatant.sys
2006-07-31 19:38 268,280 E:\WINDOWS\system32\vspubapi.dll
2006-07-31 19:38 12,288 E:\WINDOWS\system32\vetntmsg.dll
2006-07-31 19:38 11,264 E:\WINDOWS\system32\SpOrder.dll
2006-07-31 19:38 104,440 E:\WINDOWS\system32\vsmonapi.dll
2006-07-31 19:38 100,344 E:\WINDOWS\system32\vsxml.dll
2006-07-31 19:37 83,960 E:\WINDOWS\system32\vsdata.dll
2006-07-31 19:37 440,312 E:\WINDOWS\system32\vsutil.dll
2006-07-31 19:37 157,688 E:\WINDOWS\system32\vsinit.dll
2006-07-31 18:07 1,073,074,176 E:\hiberfil.sys
2006-07-31 05:58 69,632 E:\WINDOWS\system32\eopilpgn.dll
2006-07-31 05:58 2 E:\WINDOWS\system32\wnstssv.exe
2006-07-31 05:57 69,632 E:\WINDOWS\system32\ahgcfian.dll
2006-07-31 05:54 61,440 E:\WINDOWS\system32\iko59bc2.dll
2006-07-31 05:54 48,167 E:\WINDOWS\system32\VSL05.exe
2006-07-31 05:54 235,134 E:\WINDOWS\srvhwpnzru.exe
2006-07-31 05:54 159,744 E:\WINDOWS\system32\redist.dll
2006-07-31 05:54 1,064 E:\WINDOWS\system32\iko59bc2.sys
2006-07-31 05:53 45,056 E:\WINDOWS\system32ghynf.exe
2006-07-31 05:53 36,864 E:\WINDOWS\system32n9nyb.exe
2006-07-31 05:53 36,864 E:\WINDOWS\system32\n9nyb.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32bez6n4r21.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32\iqqr.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32\bez6n4r21.exe
2006-07-31 05:53 232,749 E:\WINDOWS\pf78.exe
2006-07-31 05:53 21,504 E:\WINDOWS\offun.exe
2006-07-31 05:53 127,578 E:\WINDOWS\system32\tsuninst.exe
2006-07-31 05:53 1,064,304 E:\WINDOWS\nmawqiaA.exe
2006-06-29 10:07 61,440 E:\WINDOWS\system32\BattyRun.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="E:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"DeadAIM"="rundll32.exe \"E:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"NeroFilterCheck"="E:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="E:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="E:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"PrinTray"="E:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"ASUS Probe"="e:\\program files\\AsusProb.exe"
"Lexmark X73 Button Monitor"="E:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X73.exe"
"Lexmark X73 Button Manager"="E:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X73.exe"
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
@=""
"URLLSTCK.exe"="E:\\Program Files\\Norton Internet Security Professional\\UrlLstCk.exe"
"Zone Labs Client"="\"E:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="E:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="E:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="E:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"E06AXLRD_-1331953546"="\"E:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F8DB672E-07D9-1033-1004-040408020001}"="\"E:\\Program Files\\Common Files\\{F8DB672E-07D9-1033-1004-040408020001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,02,00,00,00,00,00,00,00,02,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-itŪ Software Notes Lite.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Post-itŪ Software Notes Lite.lnk"
"backup"="E:\\WINDOWS\\pss\\Post-itŪ Software Notes Lite.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\3M\\PSNLite\\PsnLite.exe -RegRun"
"item"="Post-itŪ Software Notes Lite"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Dil^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="E:\\Documents and Settings\\Dil\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="E:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="E:\\WINDOWS\\system32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Ares Lite Edition\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E06AXLRD_-1331953546]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EDICT"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xbznv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="r?ndll32"
"hkey"="HKCU"
"command"="E:\\WINDOWS\\s?mbols\\r?ndll32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="E:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"




Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
E:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
E:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sat 08/05/2006 16:25:53.57
ComboFix ver 06.07.15/28 - This logfile is located at E:\ComboFix.txt

ComboFix.2006-08-05.162438.txt

http://www.sarc.com/avcenter/venc/data/w97m.exedrop.html

Logfile of HijackThis v1.99.1
Scan saved at 4:49:54 PM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\ZoneLabs\isafe.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
E:\program files\AsusProb.exe
E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\AIM\aim.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Symantec\LiveUpdate\AUpdate.exe
E:\Documents and Settings\D\Desktop\Downloads\hijackthis\HijackThis.exe
E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PrinTray] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ASUS Probe] e:\program files\AsusProb.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [E06AXLRD_-1331953546] "E:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE" -m
O4 - HKCU\..\Run: [Xbznv] E:\WINDOWS\s?mbols\r?ndll32.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - E:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:38 PM

Posted 06 August 2006 - 06:56 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

You have been infected with the pe386 and msguard rootkits. :thumbsup:
The pe386 rootkit is capable of hiding from all known rootkit scanners, so we have to unload the driver first.

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change all your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386
msguard


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

6. Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

Post back with-
1) The avenger.txt file
2) The GMER log
3) A new Hijackthis log
4) A new Combofix log.

David

#3 crazyme

crazyme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 06 August 2006 - 07:58 AM

hey david, thanks for ur help. i did as u asked. i ran avenger, but it didnt save a txt file. it also rebooted twice. after the second time it had booted up, zonealarm said something about vwvogrkg trying to access regedit so i said deny. was that process supposed to be related to avenger? also, after doing all this cleaning will i be able to log into websites and such? cuz i have refrained from going to any person websites that contain my personal information. i will post my other log files soon. thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:05:46 AM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\ZoneLabs\isafe.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
E:\program files\AsusProb.exe
E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Common Files\{F8DB672E-07D9-1033-1004-040408020001}\Update.exe
E:\Program Files\AIM\aim.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Dil\Desktop\Downloads\gmer\gmer.exe
E:\Documents and Settings\Dilraj\Desktop\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PrinTray] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ASUS Probe] e:\program files\AsusProb.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [vwvogrkg] E:\gvchgehc.bat
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [E06AXLRD_-1331953546] "E:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE" -m
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - E:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by crazyme, 06 August 2006 - 08:07 AM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:38 PM

Posted 06 August 2006 - 08:06 AM

When the Avenger needs to unload a driver it reboots twice, so this is normal.
I'm not sure about the message Zonealarm gave you, but you do have a huge amount of malware on your system which we will be clearing later.
Once we have successfully cleaned up this computer you should be able to log back into personal websites.
For the avenger log you may have to run it manually:

Click on start then click on run and type:
c:\avenger.txt

Let me know what happens,
David

#5 crazyme

crazyme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 06 August 2006 - 08:10 AM

i did that and it opens up a blank avenger.txt file nothing was saved into. earlier i posted my hjt log and now i have the GMER log. i see new things in my hjt log too :thumbsup: another thing, when combofix.exe was running, zonealarm wanted access to nircmd and swreg.exe, hit deny on both

Start Time= Sat 08/05/2006 16:24:38.89
Running from: E:\Documents and Settings\Dil\Desktop\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\Documents and Settings\Dil\Local Settings\Temp\drsmartload180a.exe
E:\Documents and Settings\Dil\Local Settings\Temporary Internet Files\Content.IE5\PHRSB3MW\drsmartload849a[1].exe
E:\WINDOWS\uninstall_nmon.vbs
E:\WINDOWS\system32\atmtd.dll
E:\WINDOWS\system32\atmtd.dll._


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-03 23:01:32 ( .D... ) "E:\Program Files\SpywareBlaster"
2006-07-31 19:38:32 ( .D... ) "E:\Program Files\Zone Labs"
2006-07-31 06:11:16 ( .D... ) "E:\Documents and Settings\Dil\Application Data\SystemDoctor 2006 Free"
2006-07-31 05:58:52 69632 ( A.... ) "E:\WINDOWS\system32\eopilpgn.dll"
2006-07-31 05:58:28 2 ( A.... ) "E:\WINDOWS\system32\wnstssv.exe"
2006-07-31 05:57:44 ( .D... ) "E:\Program Files\Batty"
2006-07-31 05:57:40 69632 ( A.... ) "E:\WINDOWS\system32\ahgcfian.dll"
2006-07-31 05:54:40 48167 ( A.... ) "E:\WINDOWS\system32\VSL05.exe"
2006-07-31 05:54:38 61440 ( A.... ) "E:\WINDOWS\system32\iko59bc2.dll"
2006-07-31 05:54:38 1064 ( A.... ) "E:\WINDOWS\system32\iko59bc2.sys"
2006-07-31 05:54:38 1064 ( A.... ) "E:\WINDOWS\system32\iko59bc2.sys"
2006-07-31 05:54:32 235134 ( A.... ) "E:\WINDOWS\srvhwpnzru.exe"
2006-07-31 05:54:30 159744 ( A.... ) "E:\WINDOWS\system32\redist.dll"
2006-07-31 05:54:22 ( .D... ) "E:\Program Files\System Icons"
2006-07-31 05:54:22 ( .D... ) "E:\Program Files\System Files"
2006-07-31 05:53:56 ( .D... ) "E:\Program Files\Common Files\zouu"
2006-07-31 05:53:42 232749 ( A.... ) "E:\WINDOWS\pf78.exe"
2006-07-31 05:53:24 ( AD... ) "E:\Program Files\webHancer"
2006-07-31 05:53:12 45056 ( A.... ) "E:\WINDOWS\system32ghynf.exe"
2006-07-31 05:53:12 36864 ( A.... ) "E:\WINDOWS\system32n9nyb.exe"
2006-07-31 05:53:12 28672 ( A.... ) "E:\WINDOWS\system32bez6n4r21.exe"
2006-07-31 05:53:12 28672 ( A.... ) "E:\WINDOWS\system32\iqqr.exe"
2006-07-31 05:53:10 36864 ( A.... ) "E:\WINDOWS\system32\n9nyb.exe"
2006-07-31 05:53:10 28672 ( A.... ) "E:\WINDOWS\system32\bez6n4r21.exe"
2006-07-31 05:53:02 ( .D... ) "E:\Program Files\Common Files\{F8DB672E-07D9-1033-1004-040408020001}"
2006-07-30 13:19:10 ( .D... ) "E:\Program Files\QuickPar"
2006-07-21 18:55:38 127578 ( A.... ) "E:\WINDOWS\system32\tsuninst.exe"
2006-07-01 00:43:26 ( .D... ) "E:\Program Files\Sports Mogul"
2006-06-29 10:07:36 61440 ( A.... ) "E:\WINDOWS\system32\BattyRun.dll"
2006-06-25 08:57:46 ( .D... ) "E:\Program Files\Common Files\Adobe"
2006-06-12 20:02:08 ( .D... ) "E:\Documents and Settings\Dil\Application Data\Talkback"
2006-06-12 20:00:06 ( .D... ) "E:\Documents and Settings\Dil\Application Data\Thunderbird"
2006-06-12 19:59:40 ( .D... ) "E:\Program Files\Mozilla Thunderbird"
2006-06-09 06:18:56 49152 ( A.... ) "E:\WINDOWS\system32\pmnnn.exe"
2006-06-08 22:26:10 13837 ( A.SH. ) "E:\WINDOWS\system32\ssqrsqr.dll"
2006-06-07 13:55:52 3753 ( A.... ) "E:\Program Files\html2.htm"
2006-06-07 13:55:52 3626 ( A.... ) "E:\Program Files\html1.htm"
2006-05-31 17:52:58 395032 ( A.... ) "E:\WINDOWS\system32\vsdatant.sys"
2006-05-31 17:52:44 75776 ( A.... ) "E:\WINDOWS\zllsputility.exe"
2006-05-31 17:51:58 71672 ( A.... ) "E:\WINDOWS\system32\zlcommdb.dll"
2006-05-31 17:51:56 83960 ( A.... ) "E:\WINDOWS\system32\zlcomm.dll"
2006-05-31 17:51:54 100344 ( A.... ) "E:\WINDOWS\system32\vsxml.dll"
2006-05-31 17:51:54 59384 ( A.... ) "E:\WINDOWS\system32\vswmi.dll"
2006-05-31 17:51:52 440312 ( A.... ) "E:\WINDOWS\system32\vsutil.dll"
2006-05-31 17:51:46 268280 ( A.... ) "E:\WINDOWS\system32\vspubapi.dll"
2006-05-31 17:51:46 71672 ( A.... ) "E:\WINDOWS\system32\vsregexp.dll"
2006-05-31 17:51:44 104440 ( A.... ) "E:\WINDOWS\system32\vsmonapi.dll"
2006-05-31 17:51:42 157688 ( A.... ) "E:\WINDOWS\system32\vsinit.dll"
2006-05-31 17:51:38 83960 ( A.... ) "E:\WINDOWS\system32\vsdata.dll"
2006-05-31 17:51:20 796584 ( A.... ) "E:\WINDOWS\system32\libeay32_0.9.6l.dll"
2005-05-30 16:05:08 6030 ( A.... ) "E:\Program Files\DeIsL1.isu"
2004-05-12 19:56:02 54784 ( A.... ) "E:\Program Files\Asmi8705.dll"
2004-05-10 11:15:32 58880 ( A.... ) "E:\Program Files\Asmi697h.dll"
2004-04-15 17:31:58 84992 ( A.... ) "E:\Program Files\coDmi.dll"
2004-04-15 16:58:56 57344 ( A.... ) "E:\Program Files\AsmiEHFA.dll"
2004-04-08 14:02:46 58880 ( A.... ) "E:\Program Files\AsmiTHFA.dll"
2004-04-02 15:34:04 37888 ( A.... ) "E:\Program Files\AsmiEnum.dll"
2004-03-16 16:17:42 28160 ( A.... ) "E:\Program Files\AsmiSpch.dll"
2003-12-09 18:25:02 35328 ( A.... ) "E:\Program Files\AsGetDmi.dll"
2003-12-01 16:23:38 54784 ( A.... ) "E:\Program Files\Asmi8712.dll"
2003-11-28 11:53:48 59392 ( A.... ) "E:\Program Files\Asmi627h.dll"
2003-11-11 17:48:48 683 ( A.... ) "E:\Program Files\AsusPb.ini"
2003-09-23 11:44:32 535040 ( A.... ) "E:\Program Files\COLM7578.DLL"
2003-07-16 19:28:16 62976 ( A.... ) "E:\Program Files\AsmiAsus.dll"
2003-07-15 10:42:44 56832 ( A.... ) "E:\Program Files\Asmi366.dll"
2003-05-28 22:06:06 59904 ( A.... ) "E:\Program Files\AsmiM192.dll"
2003-05-28 20:25:04 31232 ( A.... ) "E:\Program Files\AsmiIntl.dll"
2003-05-13 15:40:10 31232 ( A.... ) "E:\Program Files\AsmiHwIo.dll"
2003-04-17 20:36:00 29184 ( A.... ) "E:\Program Files\AsmiNvi2.dll"
2003-03-25 13:45:00 37888 ( A.... ) "E:\Program Files\ASMIDMI.DLL"
2002-12-06 16:07:48 617984 ( A.... ) "E:\Program Files\AsusProb.exe"
2002-11-27 20:52:54 29696 ( A.... ) "E:\Program Files\AsmiVia.dll"
2002-09-11 16:38:24 52224 ( A.... ) "E:\Program Files\ASUS.DLL"
2002-07-22 20:57:24 53760 ( A.... ) "E:\Program Files\AsmiAspm.dll"
2001-11-19 15:55:04 31232 ( A.... ) "E:\Program Files\ASMISIS.DLL"
2001-11-14 11:28:28 29184 ( A.... ) "E:\Program Files\AsmiIntO.dll"
2001-10-12 15:35:22 29184 ( A.... ) "E:\Program Files\AsmiAmd.dll"
2001-09-26 11:26:56 29184 ( A.... ) "E:\Program Files\AsmiNvid.dll"
2001-09-10 11:28:26 90624 ( A.... ) "E:\Program Files\CODISK.DLL"
2001-08-30 15:19:40 54272 ( A.... ) "E:\Program Files\Asmi630E.dll"
2001-08-16 15:30:10 31232 ( A.... ) "E:\Program Files\ASMIALI.DLL"
2001-07-26 16:58:46 47 ( A.... ) "E:\Program Files\ACMonitor_X73.ini"
2001-07-05 12:46:44 8116 ( A.... ) "E:\Program Files\OSLO3071b2.USB"
2001-05-11 11:39:16 53248 ( A.... ) "E:\Program Files\ACMonitor_X73.exe"
2001-05-08 16:36:42 114688 ( A.... ) "E:\Program Files\lxarscan.dll"
2001-04-23 14:22:14 1437 ( A.... ) "E:\Program Files\gtx73.ini"
2001-02-22 09:54:36 768 ( A.... ) "E:\Program Files\x73_lut.dat"
2001-01-04 14:56:16 55296 ( A.... ) "E:\Program Files\Asmi686A.dll"
2000-10-03 14:20:14 27648 ( A.... ) "E:\Program Files\ASMICTRL.DLL"
2000-09-07 21:17:18 54784 ( A.... ) "E:\Program Files\Asmi5953.dll"
2000-06-14 18:28:46 31232 ( A.... ) "E:\Program Files\ASMIAHD.DLL"
2000-05-18 21:02:26 55808 ( A.... ) "E:\Program Files\ASMILM78.DLL"
1999-11-22 18:24:10 15872 ( A.... ) "E:\Program Files\RECHI.DLL"
1999-11-22 18:23:58 18944 ( A.... ) "E:\Program Files\REENG.DLL"
1999-08-21 11:29:46 118784 ( A.... ) "E:\Program Files\Cooling.exe"
1999-08-21 11:21:00 7869 ( A.... ) "E:\Program Files\IDLEHLT.VXD"
1999-05-12 11:56:28 55808 ( A.... ) "E:\Program Files\ASMI5952.DLL"
1999-04-27 20:15:44 16896 ( A.... ) "E:\Program Files\COLMICO.DLL"
1999-03-05 09:53:02 57344 ( A.... ) "E:\Program Files\ASMI5951.DLL"
1999-03-05 09:49:06 57344 ( A.... ) "E:\Program Files\ASMI782D.DLL"
1999-03-05 09:48:00 55808 ( A.... ) "E:\Program Files\ASMI781D.DLL"
1999-01-14 10:47:32 33280 ( A.... ) "E:\Program Files\ASUSAHD.DLL"
1998-11-20 02:57:24 18944 ( A.... ) "E:\Program Files\DISKICO.DLL"
1998-10-27 17:06:36 28160 ( A.... ) "E:\Program Files\ICON.DLL"
1998-10-20 04:18:24 21504 ( A.... ) "E:\Program Files\PROBUNIS.DLL"
1998-10-12 13:08:56 1394 ( A.... ) "E:\Program Files\ASUS.AHD"
1998-09-22 10:00:16 18944 ( A.... ) "E:\Program Files\RESOURCE.DLL"
1998-09-19 06:46:20 16896 ( A.... ) "E:\Program Files\MAINICON.DLL"
1998-08-20 02:42:38 9216 ( A.... ) "E:\Program Files\STRENG.DLL"
1998-08-20 02:42:08 99840 ( A.... ) "E:\Program Files\STRTC.DLL"
1998-08-18 08:17:40 29696 ( A.... ) "E:\Program Files\GETDMI.DLL"

Rootkit driver pe386 is present. A rootkit scan is required

Rootkit driver msguard is present. A rootkit scan is required


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-31 23:25 1,610,612,736 E:\pagefile.sys
2006-07-31 19:38 83,960 E:\WINDOWS\system32\zlcomm.dll
2006-07-31 19:38 796,584 E:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-07-31 19:38 77,824 E:\WINDOWS\system32\driverif.dll
2006-07-31 19:38 75,776 E:\WINDOWS\zllsputility.exe
2006-07-31 19:38 733,236 E:\WINDOWS\system32\vete.dll
2006-07-31 19:38 71,672 E:\WINDOWS\system32\zlcommdb.dll
2006-07-31 19:38 71,672 E:\WINDOWS\system32\vsregexp.dll
2006-07-31 19:38 59,384 E:\WINDOWS\system32\vswmi.dll
2006-07-31 19:38 395,032 E:\WINDOWS\system32\vsdatant.sys
2006-07-31 19:38 268,280 E:\WINDOWS\system32\vspubapi.dll
2006-07-31 19:38 12,288 E:\WINDOWS\system32\vetntmsg.dll
2006-07-31 19:38 11,264 E:\WINDOWS\system32\SpOrder.dll
2006-07-31 19:38 104,440 E:\WINDOWS\system32\vsmonapi.dll
2006-07-31 19:38 100,344 E:\WINDOWS\system32\vsxml.dll
2006-07-31 19:37 83,960 E:\WINDOWS\system32\vsdata.dll
2006-07-31 19:37 440,312 E:\WINDOWS\system32\vsutil.dll
2006-07-31 19:37 157,688 E:\WINDOWS\system32\vsinit.dll
2006-07-31 18:07 1,073,074,176 E:\hiberfil.sys
2006-07-31 05:58 69,632 E:\WINDOWS\system32\eopilpgn.dll
2006-07-31 05:58 2 E:\WINDOWS\system32\wnstssv.exe
2006-07-31 05:57 69,632 E:\WINDOWS\system32\ahgcfian.dll
2006-07-31 05:54 61,440 E:\WINDOWS\system32\iko59bc2.dll
2006-07-31 05:54 48,167 E:\WINDOWS\system32\VSL05.exe
2006-07-31 05:54 235,134 E:\WINDOWS\srvhwpnzru.exe
2006-07-31 05:54 159,744 E:\WINDOWS\system32\redist.dll
2006-07-31 05:54 1,064 E:\WINDOWS\system32\iko59bc2.sys
2006-07-31 05:53 45,056 E:\WINDOWS\system32ghynf.exe
2006-07-31 05:53 36,864 E:\WINDOWS\system32n9nyb.exe
2006-07-31 05:53 36,864 E:\WINDOWS\system32\n9nyb.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32bez6n4r21.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32\iqqr.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32\bez6n4r21.exe
2006-07-31 05:53 232,749 E:\WINDOWS\pf78.exe
2006-07-31 05:53 21,504 E:\WINDOWS\offun.exe
2006-07-31 05:53 127,578 E:\WINDOWS\system32\tsuninst.exe
2006-07-31 05:53 1,064,304 E:\WINDOWS\nmawqiaA.exe
2006-06-29 10:07 61,440 E:\WINDOWS\system32\BattyRun.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="E:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"DeadAIM"="rundll32.exe \"E:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"NeroFilterCheck"="E:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="E:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="E:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"PrinTray"="E:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"ASUS Probe"="e:\\program files\\AsusProb.exe"
"Lexmark X73 Button Monitor"="E:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X73.exe"
"Lexmark X73 Button Manager"="E:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X73.exe"
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
@=""
"URLLSTCK.exe"="E:\\Program Files\\Norton Internet Security Professional\\UrlLstCk.exe"
"Zone Labs Client"="\"E:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="E:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="E:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="E:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"E06AXLRD_-1331953546"="\"E:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F8DB672E-07D9-1033-1004-040408020001}"="\"E:\\Program Files\\Common Files\\{F8DB672E-07D9-1033-1004-040408020001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,02,00,00,00,00,00,00,00,02,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-itŪ Software Notes Lite.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Post-itŪ Software Notes Lite.lnk"
"backup"="E:\\WINDOWS\\pss\\Post-itŪ Software Notes Lite.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\3M\\PSNLite\\PsnLite.exe -RegRun"
"item"="Post-itŪ Software Notes Lite"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Dil^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="E:\\Documents and Settings\\Dil\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="E:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="E:\\WINDOWS\\system32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Ares Lite Edition\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E06AXLRD_-1331953546]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EDICT"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xbznv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="r?ndll32"
"hkey"="HKCU"
"command"="E:\\WINDOWS\\s?mbols\\r?ndll32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="E:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"




Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
E:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
E:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sat 08/05/2006 16:25:53.57
ComboFix ver 06.07.15/28 - This logfile is located at E:\ComboFix.txt

ComboFix.2006-08-05.162438.txt


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-06 09:08:15
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwConnectPort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateFile
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreatePort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateProcess
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateProcessEx
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateSection
SSDT \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateWaitablePort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwDeleteFile
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwDeleteKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwDeleteValueKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwDuplicateObject
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwLoadKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwMapViewOfSection
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwOpenFile
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwOpenProcess
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwOpenThread
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwReplaceKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwRestoreKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwSecureConnectPort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwSetInformationFile
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwSetSystemInformation
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwSetValueKey
SSDT \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [EE2D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [EE2D4B10] vsdatant.sys
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSEIRP_MJ_READ 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86ADB9B8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP_POWER 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSEIRP_MJ_READ 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 86ADB9B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP_POWER 86ADB9B8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE_NAMED_PIPE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CLOSEIRP_MJ_READ 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_WRITE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_FLUSH_BUFFERS 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DIRECTORY_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_FILE_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_INTERNAL_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SHUTDOWN 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_LOCK_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CLEANUP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE_MAILSLOT 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DEVICE_CHANGE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_PNP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_PNP_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSEIRP_MJ_READ 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSEIRP_MJ_READ 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSEIRP_MJ_READ 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_NAMED_PIPE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLOSEIRP_MJ_READ 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_WRITE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FLUSH_BUFFERS 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DIRECTORY_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FILE_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_LOCK_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLEANUP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_MAILSLOT 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_SECURITY 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CHANGE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_QUOTA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_PNP 86BFF4F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_PNP_POWER 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSEIRP_MJ_READ 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 86BFF4F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CON

Edited by crazyme, 06 August 2006 - 08:14 AM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:38 PM

Posted 06 August 2006 - 08:15 AM

Ok, please post a New combofix log also.
David

#7 crazyme

crazyme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 06 August 2006 - 08:26 AM

its posted with the other log, i edited it and just posted it along with the GMER log thanks

**
i just checked my windows update, it seems that my computer never updated automatically and never got patched since aug 15th 2005. i did a manual update, it just downloaded the updates and after that nothing else happened. i have manually installed 41 updates. i just thought i would add this information in trying to get my computer back in order. thanks!

Edited by crazyme, 06 August 2006 - 01:28 PM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:38 PM

Posted 06 August 2006 - 01:30 PM

I'm just going over your log at the moment.
David

#9 crazyme

crazyme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 06 August 2006 - 02:06 PM

my computer seems to have gotten slower after the windows updates. either that or im hallucinating :thumbsup: here is the updated hjt log file with my computer updated....didnt know if u needed to see one with windows updates or not. also, i dont remember if i mentioned this or not, but in msconfig i disabled r?dll.exe from running since i knew it was bad. im assuming in order for it to get attended to correctly, i should enable the process on startup and allow my spyware/av to detect it and delete it that way? thanks for all the help.


Logfile of HijackThis v1.99.1
Scan saved at 3:03:17 PM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\ZoneLabs\isafe.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
E:\program files\AsusProb.exe
E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\AIM\aim.exe
E:\Program Files\Symantec\LiveUpdate\AUpdate.exe
E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
E:\Documents and Settings\Dil\Desktop\Downloads\hijackthis\HijackThis.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PrinTray] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ASUS Probe] e:\program files\AsusProb.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [vwvogrkg] E:\gvchgehc.bat
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [E06AXLRD_-1331953546] "E:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE" -m
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - E:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154886465015
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by crazyme, 06 August 2006 - 02:10 PM.


#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:38 PM

Posted 06 August 2006 - 02:30 PM

I've been thinking about why the Avenger didn't work, and have corresponded with an expert.
We think it could be one of two things.

1) Firstly your firewall's - Zone Alarm + Sygate.
Either might be interfering with the fix and is stopping the Avenger working.
The fact you have two firewalls running together isn't really a good idea, even though I have been told that ZA and sygate can run seamlessly together. My recommendation would be to get rid of one of them. Bare in mind that sygate is no longer updating, this will not be a problem unless a vulnerability arises. ZA is less powerful but is still a very good option. Of course I am not forcing you, but I would recommend you remove one of them. If you remove sygate then temporarily I want you to disable your Zone Alarm firewall and its activity. So,
Go to the Program tab, then click "Main".
Press the first "Custom" button from the top.
Uncheck "Enable OS Firewall".
Click OK.
- As soon as we get the script to work we can enable it.

If you removed ZA you can disable the Sygate one temporarily but right clicking on the system tray icon and exiting the firewall.

You know that you can remove the firewalls through add/remove in the control panel.

2) You didn't extract the avenger executable from the zip folder.
This is the main reason why the program doesn't create the text file's contents - if it isn't unzipped.
Here is a handy tool on how to unzip a file:
http://consumer.installshield.com/kb.asp?id=Q108326

So download avenger.zip from here:
http://swandog46.geekstogo.com/avenger.zip
Save the zip and unzip the .exe to your desktop.
_________________________________________

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386
msguard


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply. Also post a new Combofix log.

David

Edited by D-Trojanator, 06 August 2006 - 02:31 PM.


#11 crazyme

crazyme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 06 August 2006 - 03:25 PM

alright, i shut down sygate this time when i ran avenger, it seemed to work better. before i post the logs i just wanted to mention that when i was running combofix, zonealarm was saying that swreg.exe was trying to install PE386 and MSGUARD both times i hit deny. swreg was also trying to launch E:\WINDOWS\regedit.exe and i hit deny, when i did, a prompt came up saying i had no priveleges to access regedit and blah blah blah. but i checked and my regedit works when i go to run and type in regedit. here are all of my logs, avenger, combo and hijack and i think that is the latest combo fix log, there were four txt files of those and this one seems to make sense with the time and what not. sorry, i forgot to mention that i had the r?ndll.exe process from running on startup and so it wont show up in hijackthis log. it is however in the previous hjt log i believe in which i had it enabled and had hijackthis run a check. thanks again!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\raoggcnr

*******************

Script file located at: \??\E:\WINDOWS\system32\dnygkngy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\pe386 not found!
Unload of driver pe386 failed!

Could not process line:
pe386
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\msguard not found!
Unload of driver msguard failed!

Could not process line:
msguard
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 4:16:35 PM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\Explorer.EXE
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\ZoneLabs\isafe.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
E:\program files\AsusProb.exe
E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Common Files\{F8DB672E-07D9-1033-1004-040408020001}\Update.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Dil\Desktop\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PrinTray] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ASUS Probe] e:\program files\AsusProb.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [vwvogrkg] E:\gvchgehc.bat
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [E06AXLRD_-1331953546] "E:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE" -m
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - E:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154886465015
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Start Time= Sun 08/06/2006 16:13:11.04
Running from: E:\Documents and Settings\Dil\Desktop\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\Documents and Settings\Dil\Local Settings\Temp\drsmartload180a.exe
E:\Documents and Settings\Dil\Local Settings\Temporary Internet Files\Content.IE5\PHRSB3MW\drsmartload849a[1].exe
E:\WINDOWS\uninstall_nmon.vbs
E:\WINDOWS\system32\atmtd.dll
E:\WINDOWS\system32\atmtd.dll._


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-06 09:11:22 683 ( A.... ) "E:\Combo.bat"
2006-08-06 08:56:12 528446 ( A.... ) "E:\WINDOWS\gmer.dll"
2006-08-06 08:44:16 72 ( A.... ) "E:\Program Files\becvapgc.txt"
2006-08-03 23:01:32 ( .D... ) "E:\Program Files\SpywareBlaster"
2006-07-31 19:38:32 ( .D... ) "E:\Program Files\Zone Labs"
2006-07-31 06:11:16 ( .D... ) "E:\Documents and Settings\Dil\Application Data\SystemDoctor 2006 Free"
2006-07-31 05:58:28 2 ( A.... ) "E:\WINDOWS\system32\wnstssv.exe"
2006-07-31 05:54:38 61440 ( A.... ) "E:\WINDOWS\system32\iko59bc2.dll"
2006-07-31 05:54:38 1064 ( A.... ) "E:\WINDOWS\system32\iko59bc2.sys"
2006-07-31 05:54:38 1064 ( A.... ) "E:\WINDOWS\system32\iko59bc2.sys"
2006-07-31 05:54:32 235134 ( A.... ) "E:\WINDOWS\srvhwpnzru.exe"
2006-07-31 05:54:22 ( .D... ) "E:\Program Files\System Icons"
2006-07-31 05:54:22 ( .D... ) "E:\Program Files\System Files"
2006-07-31 05:53:56 ( .D... ) "E:\Program Files\Common Files\zouu"
2006-07-31 05:53:42 232749 ( A.... ) "E:\WINDOWS\pf78.exe"
2006-07-31 05:53:24 ( AD... ) "E:\Program Files\webHancer"
2006-07-31 05:53:12 45056 ( A.... ) "E:\WINDOWS\system32ghynf.exe"
2006-07-31 05:53:12 36864 ( A.... ) "E:\WINDOWS\system32n9nyb.exe"
2006-07-31 05:53:12 28672 ( A.... ) "E:\WINDOWS\system32bez6n4r21.exe"
2006-07-31 05:53:12 28672 ( A.... ) "E:\WINDOWS\system32\iqqr.exe"
2006-07-31 05:53:10 36864 ( A.... ) "E:\WINDOWS\system32\n9nyb.exe"
2006-07-31 05:53:10 28672 ( A.... ) "E:\WINDOWS\system32\bez6n4r21.exe"
2006-07-31 05:53:02 ( .D... ) "E:\Program Files\Common Files\{F8DB672E-07D9-1033-1004-040408020001}"
2006-07-30 13:19:10 ( .D... ) "E:\Program Files\QuickPar"
2006-07-21 18:55:38 127578 ( A.... ) "E:\WINDOWS\system32\tsuninst.exe"
2006-07-01 00:43:26 ( .D... ) "E:\Program Files\Sports Mogul"
2006-06-25 08:57:46 ( .D... ) "E:\Program Files\Common Files\Adobe"
2006-06-19 16:20:42 702768 ( ..... ) "E:\WINDOWS\system32\WgaLogon.dll"
2006-06-12 20:02:08 ( .D... ) "E:\Documents and Settings\Dil\Application Data\Talkback"
2006-06-12 20:00:06 ( .D... ) "E:\Documents and Settings\Dil\Application Data\Thunderbird"
2006-06-12 19:59:40 ( .D... ) "E:\Program Files\Mozilla Thunderbird"
2006-06-09 06:18:56 49152 ( A.... ) "E:\WINDOWS\system32\pmnnn.exe"
2006-06-08 22:26:10 13837 ( A.SH. ) "E:\WINDOWS\system32\ssqrsqr.dll"
2006-06-07 13:55:52 3753 ( A.... ) "E:\Program Files\html2.htm"
2006-06-07 13:55:52 3626 ( A.... ) "E:\Program Files\html1.htm"
2006-06-06 20:49:18 745531 ( A.... ) "E:\WINDOWS\gmer.exe"
2006-05-31 17:52:58 395032 ( A.... ) "E:\WINDOWS\system32\vsdatant.sys"
2006-05-31 17:52:44 75776 ( A.... ) "E:\WINDOWS\zllsputility.exe"
2006-05-31 17:51:58 71672 ( A.... ) "E:\WINDOWS\system32\zlcommdb.dll"
2006-05-31 17:51:56 83960 ( A.... ) "E:\WINDOWS\system32\zlcomm.dll"
2006-05-31 17:51:54 100344 ( A.... ) "E:\WINDOWS\system32\vsxml.dll"
2006-05-31 17:51:54 59384 ( A.... ) "E:\WINDOWS\system32\vswmi.dll"
2006-05-31 17:51:52 440312 ( A.... ) "E:\WINDOWS\system32\vsutil.dll"
2006-05-31 17:51:46 268280 ( A.... ) "E:\WINDOWS\system32\vspubapi.dll"
2006-05-31 17:51:46 71672 ( A.... ) "E:\WINDOWS\system32\vsregexp.dll"
2006-05-31 17:51:44 104440 ( A.... ) "E:\WINDOWS\system32\vsmonapi.dll"
2006-05-31 17:51:42 157688 ( A.... ) "E:\WINDOWS\system32\vsinit.dll"
2006-05-31 17:51:38 83960 ( A.... ) "E:\WINDOWS\system32\vsdata.dll"
2006-05-31 17:51:20 796584 ( A.... ) "E:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-05-19 08:59:42 148480 ( A.... ) "E:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( A.... ) "E:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "E:\WINDOWS\system32\iphlpapi.dll"
2005-05-30 16:05:08 6030 ( A.... ) "E:\Program Files\DeIsL1.isu"
2004-05-12 19:56:02 54784 ( A.... ) "E:\Program Files\Asmi8705.dll"
2004-05-10 11:15:32 58880 ( A.... ) "E:\Program Files\Asmi697h.dll"
2004-04-15 17:31:58 84992 ( A.... ) "E:\Program Files\coDmi.dll"
2004-04-15 16:58:56 57344 ( A.... ) "E:\Program Files\AsmiEHFA.dll"
2004-04-08 14:02:46 58880 ( A.... ) "E:\Program Files\AsmiTHFA.dll"
2004-04-02 15:34:04 37888 ( A.... ) "E:\Program Files\AsmiEnum.dll"
2004-03-16 16:17:42 28160 ( A.... ) "E:\Program Files\AsmiSpch.dll"
2003-12-09 18:25:02 35328 ( A.... ) "E:\Program Files\AsGetDmi.dll"
2003-12-01 16:23:38 54784 ( A.... ) "E:\Program Files\Asmi8712.dll"
2003-11-28 11:53:48 59392 ( A.... ) "E:\Program Files\Asmi627h.dll"
2003-11-11 17:48:48 683 ( A.... ) "E:\Program Files\AsusPb.ini"
2003-09-23 11:44:32 535040 ( A.... ) "E:\Program Files\COLM7578.DLL"
2003-07-16 19:28:16 62976 ( A.... ) "E:\Program Files\AsmiAsus.dll"
2003-07-15 10:42:44 56832 ( A.... ) "E:\Program Files\Asmi366.dll"
2003-05-28 22:06:06 59904 ( A.... ) "E:\Program Files\AsmiM192.dll"
2003-05-28 20:25:04 31232 ( A.... ) "E:\Program Files\AsmiIntl.dll"
2003-05-13 15:40:10 31232 ( A.... ) "E:\Program Files\AsmiHwIo.dll"
2003-04-17 20:36:00 29184 ( A.... ) "E:\Program Files\AsmiNvi2.dll"
2003-03-25 13:45:00 37888 ( A.... ) "E:\Program Files\ASMIDMI.DLL"
2002-12-06 16:07:48 617984 ( A.... ) "E:\Program Files\AsusProb.exe"
2002-11-27 20:52:54 29696 ( A.... ) "E:\Program Files\AsmiVia.dll"
2002-09-11 16:38:24 52224 ( A.... ) "E:\Program Files\ASUS.DLL"
2002-07-22 20:57:24 53760 ( A.... ) "E:\Program Files\AsmiAspm.dll"
2001-11-19 15:55:04 31232 ( A.... ) "E:\Program Files\ASMISIS.DLL"
2001-11-14 11:28:28 29184 ( A.... ) "E:\Program Files\AsmiIntO.dll"
2001-10-12 15:35:22 29184 ( A.... ) "E:\Program Files\AsmiAmd.dll"
2001-09-26 11:26:56 29184 ( A.... ) "E:\Program Files\AsmiNvid.dll"
2001-09-10 11:28:26 90624 ( A.... ) "E:\Program Files\CODISK.DLL"
2001-08-30 15:19:40 54272 ( A.... ) "E:\Program Files\Asmi630E.dll"
2001-08-16 15:30:10 31232 ( A.... ) "E:\Program Files\ASMIALI.DLL"
2001-07-26 16:58:46 47 ( A.... ) "E:\Program Files\ACMonitor_X73.ini"
2001-07-05 12:46:44 8116 ( A.... ) "E:\Program Files\OSLO3071b2.USB"
2001-05-11 11:39:16 53248 ( A.... ) "E:\Program Files\ACMonitor_X73.exe"
2001-05-08 16:36:42 114688 ( A.... ) "E:\Program Files\lxarscan.dll"
2001-04-23 14:22:14 1437 ( A.... ) "E:\Program Files\gtx73.ini"
2001-02-22 09:54:36 768 ( A.... ) "E:\Program Files\x73_lut.dat"
2001-01-04 14:56:16 55296 ( A.... ) "E:\Program Files\Asmi686A.dll"
2000-10-03 14:20:14 27648 ( A.... ) "E:\Program Files\ASMICTRL.DLL"
2000-09-07 21:17:18 54784 ( A.... ) "E:\Program Files\Asmi5953.dll"
2000-06-14 18:28:46 31232 ( A.... ) "E:\Program Files\ASMIAHD.DLL"
2000-05-18 21:02:26 55808 ( A.... ) "E:\Program Files\ASMILM78.DLL"
1999-11-22 18:24:10 15872 ( A.... ) "E:\Program Files\RECHI.DLL"
1999-11-22 18:23:58 18944 ( A.... ) "E:\Program Files\REENG.DLL"
1999-08-21 11:29:46 118784 ( A.... ) "E:\Program Files\Cooling.exe"
1999-08-21 11:21:00 7869 ( A.... ) "E:\Program Files\IDLEHLT.VXD"
1999-05-12 11:56:28 55808 ( A.... ) "E:\Program Files\ASMI5952.DLL"
1999-04-27 20:15:44 16896 ( A.... ) "E:\Program Files\COLMICO.DLL"
1999-03-05 09:53:02 57344 ( A.... ) "E:\Program Files\ASMI5951.DLL"
1999-03-05 09:49:06 57344 ( A.... ) "E:\Program Files\ASMI782D.DLL"
1999-03-05 09:48:00 55808 ( A.... ) "E:\Program Files\ASMI781D.DLL"
1999-01-14 10:47:32 33280 ( A.... ) "E:\Program Files\ASUSAHD.DLL"
1998-11-20 02:57:24 18944 ( A.... ) "E:\Program Files\DISKICO.DLL"
1998-10-27 17:06:36 28160 ( A.... ) "E:\Program Files\ICON.DLL"
1998-10-20 04:18:24 21504 ( A.... ) "E:\Program Files\PROBUNIS.DLL"
1998-10-12 13:08:56 1394 ( A.... ) "E:\Program Files\ASUS.AHD"
1998-09-22 10:00:16 18944 ( A.... ) "E:\Program Files\RESOURCE.DLL"
1998-09-19 06:46:20 16896 ( A.... ) "E:\Program Files\MAINICON.DLL"
1998-08-20 02:42:38 9216 ( A.... ) "E:\Program Files\STRENG.DLL"
1998-08-20 02:42:08 99840 ( A.... ) "E:\Program Files\STRTC.DLL"
1998-08-18 08:17:40 29696 ( A.... ) "E:\Program Files\GETDMI.DLL"

Rootkit driver pe386 is present. A rootkit scan is required

Rootkit driver msguard is present. A rootkit scan is required


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))




(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="E:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"DeadAIM"="rundll32.exe \"E:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"NeroFilterCheck"="E:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="E:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="E:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"PrinTray"="E:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"ASUS Probe"="e:\\program files\\AsusProb.exe"
"Lexmark X73 Button Monitor"="E:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X73.exe"
"Lexmark X73 Button Manager"="E:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X73.exe"
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
@=""
"URLLSTCK.exe"="E:\\Program Files\\Norton Internet Security Professional\\UrlLstCk.exe"
"Zone Labs Client"="\"E:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"MSConfig"="E:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"vwvogrkg"="E:\\gvchgehc.bat"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="E:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="E:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="E:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"E06AXLRD_-1331953546"="\"E:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F8DB672E-07D9-1033-1004-040408020001}"="\"E:\\Program Files\\Common Files\\{F8DB672E-07D9-1033-1004-040408020001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-itŪ Software Notes Lite.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Post-itŪ Software Notes Lite.lnk"
"backup"="E:\\WINDOWS\\pss\\Post-itŪ Software Notes Lite.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\3M\\PSNLite\\PsnLite.exe -RegRun"
"item"="Post-itŪ Software Notes Lite"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Dil^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="E:\\Documents and Settings\\Dil\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="E:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="E:\\WINDOWS\\system32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Ares Lite Edition\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E06AXLRD_-1331953546]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EDICT"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xbznv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="r?ndll32"
"hkey"="HKCU"
"command"="E:\\WINDOWS\\s?mbols\\r?ndll32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="E:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"




Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
E:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
E:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 08/06/2006 16:15:09.25
ComboFix ver 06.07.15/28 - This logfile is located at E:\ComboFix.txt

ComboFix.2006-08-05.162438.txt
ComboFix.2006-08-06.091007.txt
ComboFix.2006-08-06.161310.txt

Edited by crazyme, 06 August 2006 - 03:31 PM.


#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:38 PM

Posted 06 August 2006 - 04:56 PM

Hey there,

I think that the problem here is Zone Alarm.

Let me try and explain. Combofix runs and searches a certain part of the registry for example. Zone Alarm blocks access to certain keys so they act like a rootkit, therefore it Combofix flags them as a rootkit. I think that may be part of the problem and it is possible that the rootkits are not actually present. The avenger said it was not able to unload the rootkits as it couldn't find them - I think that Zone Alarm is stopping the program working, and you should be allowing changes to be made instead of denying them.

How Combofix detects whether the rootkits are present is by creating a dummy pe386 and msguard rootkit, then a process is able to decide whether the rootkit is present or not. Zone Alarm is denying these dummies being created so it has no choice but assume the rootkit is present.
However I think it isn't.

You can go ahead and delete the Avenger now as it's no longer needed.
You can re-enable the firewalls you disabled earlier.
Let's go ahead and start afresh - New Hijackthis log, and new Combofix, we can work from there.

David

Edited by D-Trojanator, 06 August 2006 - 04:57 PM.


#13 crazyme

crazyme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 06 August 2006 - 05:06 PM

i am assuming u wanted me to turn off zonealarm and run hjt and combofix, i did just that and here are the logs. also after combofix was done with its scan, was i supposed to let it run diskclean up on all my hard drives? thanks

Start Time= Sun 08/06/2006 18:08:10.46
Running from: E:\Documents and Settings\Dil\Desktop\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\Documents and Settings\Dil\Local Settings\Temp\drsmartload180a.exe
E:\Documents and Settings\Dil\Local Settings\Temporary Internet Files\Content.IE5\PHRSB3MW\drsmartload849a[1].exe
E:\WINDOWS\uninstall_nmon.vbs
E:\WINDOWS\system32\atmtd.dll
E:\WINDOWS\system32\atmtd.dll._


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-06 16:15:40 683 ( A.... ) "E:\Combo.bat"
2006-08-06 08:56:12 528446 ( A.... ) "E:\WINDOWS\gmer.dll"
2006-08-06 08:44:16 72 ( A.... ) "E:\Program Files\becvapgc.txt"
2006-08-03 23:01:32 ( .D... ) "E:\Program Files\SpywareBlaster"
2006-07-31 19:38:32 ( .D... ) "E:\Program Files\Zone Labs"
2006-07-31 06:11:16 ( .D... ) "E:\Documents and Settings\Dil\Application Data\SystemDoctor 2006 Free"
2006-07-31 05:58:28 2 ( A.... ) "E:\WINDOWS\system32\wnstssv.exe"
2006-07-31 05:54:38 61440 ( A.... ) "E:\WINDOWS\system32\iko59bc2.dll"
2006-07-31 05:54:38 1064 ( A.... ) "E:\WINDOWS\system32\iko59bc2.sys"
2006-07-31 05:54:38 1064 ( A.... ) "E:\WINDOWS\system32\iko59bc2.sys"
2006-07-31 05:54:32 235134 ( A.... ) "E:\WINDOWS\srvhwpnzru.exe"
2006-07-31 05:54:22 ( .D... ) "E:\Program Files\System Icons"
2006-07-31 05:54:22 ( .D... ) "E:\Program Files\System Files"
2006-07-31 05:53:56 ( .D... ) "E:\Program Files\Common Files\zouu"
2006-07-31 05:53:42 232749 ( A.... ) "E:\WINDOWS\pf78.exe"
2006-07-31 05:53:24 ( AD... ) "E:\Program Files\webHancer"
2006-07-31 05:53:12 45056 ( A.... ) "E:\WINDOWS\system32ghynf.exe"
2006-07-31 05:53:12 36864 ( A.... ) "E:\WINDOWS\system32n9nyb.exe"
2006-07-31 05:53:12 28672 ( A.... ) "E:\WINDOWS\system32bez6n4r21.exe"
2006-07-31 05:53:12 28672 ( A.... ) "E:\WINDOWS\system32\iqqr.exe"
2006-07-31 05:53:10 36864 ( A.... ) "E:\WINDOWS\system32\n9nyb.exe"
2006-07-31 05:53:10 28672 ( A.... ) "E:\WINDOWS\system32\bez6n4r21.exe"
2006-07-31 05:53:02 ( .D... ) "E:\Program Files\Common Files\{F8DB672E-07D9-1033-1004-040408020001}"
2006-07-30 13:19:10 ( .D... ) "E:\Program Files\QuickPar"
2006-07-21 18:55:38 127578 ( A.... ) "E:\WINDOWS\system32\tsuninst.exe"
2006-07-01 00:43:26 ( .D... ) "E:\Program Files\Sports Mogul"
2006-06-25 08:57:46 ( .D... ) "E:\Program Files\Common Files\Adobe"
2006-06-19 16:20:42 702768 ( ..... ) "E:\WINDOWS\system32\WgaLogon.dll"
2006-06-12 20:02:08 ( .D... ) "E:\Documents and Settings\Dil\Application Data\Talkback"
2006-06-12 20:00:06 ( .D... ) "E:\Documents and Settings\Dil\Application Data\Thunderbird"
2006-06-12 19:59:40 ( .D... ) "E:\Program Files\Mozilla Thunderbird"
2006-06-09 06:18:56 49152 ( A.... ) "E:\WINDOWS\system32\pmnnn.exe"
2006-06-08 22:26:10 13837 ( A.SH. ) "E:\WINDOWS\system32\ssqrsqr.dll"
2006-06-07 13:55:52 3753 ( A.... ) "E:\Program Files\html2.htm"
2006-06-07 13:55:52 3626 ( A.... ) "E:\Program Files\html1.htm"
2006-06-06 20:49:18 745531 ( A.... ) "E:\WINDOWS\gmer.exe"
2006-05-31 17:52:58 395032 ( A.... ) "E:\WINDOWS\system32\vsdatant.sys"
2006-05-31 17:52:44 75776 ( A.... ) "E:\WINDOWS\zllsputility.exe"
2006-05-31 17:51:58 71672 ( A.... ) "E:\WINDOWS\system32\zlcommdb.dll"
2006-05-31 17:51:56 83960 ( A.... ) "E:\WINDOWS\system32\zlcomm.dll"
2006-05-31 17:51:54 100344 ( A.... ) "E:\WINDOWS\system32\vsxml.dll"
2006-05-31 17:51:54 59384 ( A.... ) "E:\WINDOWS\system32\vswmi.dll"
2006-05-31 17:51:52 440312 ( A.... ) "E:\WINDOWS\system32\vsutil.dll"
2006-05-31 17:51:46 268280 ( A.... ) "E:\WINDOWS\system32\vspubapi.dll"
2006-05-31 17:51:46 71672 ( A.... ) "E:\WINDOWS\system32\vsregexp.dll"
2006-05-31 17:51:44 104440 ( A.... ) "E:\WINDOWS\system32\vsmonapi.dll"
2006-05-31 17:51:42 157688 ( A.... ) "E:\WINDOWS\system32\vsinit.dll"
2006-05-31 17:51:38 83960 ( A.... ) "E:\WINDOWS\system32\vsdata.dll"
2006-05-31 17:51:20 796584 ( A.... ) "E:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-05-19 08:59:42 148480 ( A.... ) "E:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( A.... ) "E:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "E:\WINDOWS\system32\iphlpapi.dll"
2005-05-30 16:05:08 6030 ( A.... ) "E:\Program Files\DeIsL1.isu"
2004-05-12 19:56:02 54784 ( A.... ) "E:\Program Files\Asmi8705.dll"
2004-05-10 11:15:32 58880 ( A.... ) "E:\Program Files\Asmi697h.dll"
2004-04-15 17:31:58 84992 ( A.... ) "E:\Program Files\coDmi.dll"
2004-04-15 16:58:56 57344 ( A.... ) "E:\Program Files\AsmiEHFA.dll"
2004-04-08 14:02:46 58880 ( A.... ) "E:\Program Files\AsmiTHFA.dll"
2004-04-02 15:34:04 37888 ( A.... ) "E:\Program Files\AsmiEnum.dll"
2004-03-16 16:17:42 28160 ( A.... ) "E:\Program Files\AsmiSpch.dll"
2003-12-09 18:25:02 35328 ( A.... ) "E:\Program Files\AsGetDmi.dll"
2003-12-01 16:23:38 54784 ( A.... ) "E:\Program Files\Asmi8712.dll"
2003-11-28 11:53:48 59392 ( A.... ) "E:\Program Files\Asmi627h.dll"
2003-11-11 17:48:48 683 ( A.... ) "E:\Program Files\AsusPb.ini"
2003-09-23 11:44:32 535040 ( A.... ) "E:\Program Files\COLM7578.DLL"
2003-07-16 19:28:16 62976 ( A.... ) "E:\Program Files\AsmiAsus.dll"
2003-07-15 10:42:44 56832 ( A.... ) "E:\Program Files\Asmi366.dll"
2003-05-28 22:06:06 59904 ( A.... ) "E:\Program Files\AsmiM192.dll"
2003-05-28 20:25:04 31232 ( A.... ) "E:\Program Files\AsmiIntl.dll"
2003-05-13 15:40:10 31232 ( A.... ) "E:\Program Files\AsmiHwIo.dll"
2003-04-17 20:36:00 29184 ( A.... ) "E:\Program Files\AsmiNvi2.dll"
2003-03-25 13:45:00 37888 ( A.... ) "E:\Program Files\ASMIDMI.DLL"
2002-12-06 16:07:48 617984 ( A.... ) "E:\Program Files\AsusProb.exe"
2002-11-27 20:52:54 29696 ( A.... ) "E:\Program Files\AsmiVia.dll"
2002-09-11 16:38:24 52224 ( A.... ) "E:\Program Files\ASUS.DLL"
2002-07-22 20:57:24 53760 ( A.... ) "E:\Program Files\AsmiAspm.dll"
2001-11-19 15:55:04 31232 ( A.... ) "E:\Program Files\ASMISIS.DLL"
2001-11-14 11:28:28 29184 ( A.... ) "E:\Program Files\AsmiIntO.dll"
2001-10-12 15:35:22 29184 ( A.... ) "E:\Program Files\AsmiAmd.dll"
2001-09-26 11:26:56 29184 ( A.... ) "E:\Program Files\AsmiNvid.dll"
2001-09-10 11:28:26 90624 ( A.... ) "E:\Program Files\CODISK.DLL"
2001-08-30 15:19:40 54272 ( A.... ) "E:\Program Files\Asmi630E.dll"
2001-08-16 15:30:10 31232 ( A.... ) "E:\Program Files\ASMIALI.DLL"
2001-07-26 16:58:46 47 ( A.... ) "E:\Program Files\ACMonitor_X73.ini"
2001-07-05 12:46:44 8116 ( A.... ) "E:\Program Files\OSLO3071b2.USB"
2001-05-11 11:39:16 53248 ( A.... ) "E:\Program Files\ACMonitor_X73.exe"
2001-05-08 16:36:42 114688 ( A.... ) "E:\Program Files\lxarscan.dll"
2001-04-23 14:22:14 1437 ( A.... ) "E:\Program Files\gtx73.ini"
2001-02-22 09:54:36 768 ( A.... ) "E:\Program Files\x73_lut.dat"
2001-01-04 14:56:16 55296 ( A.... ) "E:\Program Files\Asmi686A.dll"
2000-10-03 14:20:14 27648 ( A.... ) "E:\Program Files\ASMICTRL.DLL"
2000-09-07 21:17:18 54784 ( A.... ) "E:\Program Files\Asmi5953.dll"
2000-06-14 18:28:46 31232 ( A.... ) "E:\Program Files\ASMIAHD.DLL"
2000-05-18 21:02:26 55808 ( A.... ) "E:\Program Files\ASMILM78.DLL"
1999-11-22 18:24:10 15872 ( A.... ) "E:\Program Files\RECHI.DLL"
1999-11-22 18:23:58 18944 ( A.... ) "E:\Program Files\REENG.DLL"
1999-08-21 11:29:46 118784 ( A.... ) "E:\Program Files\Cooling.exe"
1999-08-21 11:21:00 7869 ( A.... ) "E:\Program Files\IDLEHLT.VXD"
1999-05-12 11:56:28 55808 ( A.... ) "E:\Program Files\ASMI5952.DLL"
1999-04-27 20:15:44 16896 ( A.... ) "E:\Program Files\COLMICO.DLL"
1999-03-05 09:53:02 57344 ( A.... ) "E:\Program Files\ASMI5951.DLL"
1999-03-05 09:49:06 57344 ( A.... ) "E:\Program Files\ASMI782D.DLL"
1999-03-05 09:48:00 55808 ( A.... ) "E:\Program Files\ASMI781D.DLL"
1999-01-14 10:47:32 33280 ( A.... ) "E:\Program Files\ASUSAHD.DLL"
1998-11-20 02:57:24 18944 ( A.... ) "E:\Program Files\DISKICO.DLL"
1998-10-27 17:06:36 28160 ( A.... ) "E:\Program Files\ICON.DLL"
1998-10-20 04:18:24 21504 ( A.... ) "E:\Program Files\PROBUNIS.DLL"
1998-10-12 13:08:56 1394 ( A.... ) "E:\Program Files\ASUS.AHD"
1998-09-22 10:00:16 18944 ( A.... ) "E:\Program Files\RESOURCE.DLL"
1998-09-19 06:46:20 16896 ( A.... ) "E:\Program Files\MAINICON.DLL"
1998-08-20 02:42:38 9216 ( A.... ) "E:\Program Files\STRENG.DLL"
1998-08-20 02:42:08 99840 ( A.... ) "E:\Program Files\STRTC.DLL"
1998-08-18 08:17:40 29696 ( A.... ) "E:\Program Files\GETDMI.DLL"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-06 09:11 683 E:\Combo.bat
2006-08-06 08:56 745,531 E:\WINDOWS\gmer.exe
2006-08-06 08:56 528,446 E:\WINDOWS\gmer.dll
2006-07-31 19:38 83,960 E:\WINDOWS\system32\zlcomm.dll
2006-07-31 19:38 796,584 E:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-07-31 19:38 77,824 E:\WINDOWS\system32\driverif.dll
2006-07-31 19:38 75,776 E:\WINDOWS\zllsputility.exe
2006-07-31 19:38 733,236 E:\WINDOWS\system32\vete.dll
2006-07-31 19:38 71,672 E:\WINDOWS\system32\zlcommdb.dll
2006-07-31 19:38 71,672 E:\WINDOWS\system32\vsregexp.dll
2006-07-31 19:38 59,384 E:\WINDOWS\system32\vswmi.dll
2006-07-31 19:38 395,032 E:\WINDOWS\system32\vsdatant.sys
2006-07-31 19:38 268,280 E:\WINDOWS\system32\vspubapi.dll
2006-07-31 19:38 12,288 E:\WINDOWS\system32\vetntmsg.dll
2006-07-31 19:38 11,264 E:\WINDOWS\system32\SpOrder.dll
2006-07-31 19:38 104,440 E:\WINDOWS\system32\vsmonapi.dll
2006-07-31 19:38 100,344 E:\WINDOWS\system32\vsxml.dll
2006-07-31 19:37 83,960 E:\WINDOWS\system32\vsdata.dll
2006-07-31 19:37 440,312 E:\WINDOWS\system32\vsutil.dll
2006-07-31 19:37 157,688 E:\WINDOWS\system32\vsinit.dll
2006-07-31 18:07 1,073,074,176 E:\hiberfil.sys
2006-07-31 05:58 2 E:\WINDOWS\system32\wnstssv.exe
2006-07-31 05:54 61,440 E:\WINDOWS\system32\iko59bc2.dll
2006-07-31 05:54 235,134 E:\WINDOWS\srvhwpnzru.exe
2006-07-31 05:54 1,064 E:\WINDOWS\system32\iko59bc2.sys
2006-07-31 05:53 45,056 E:\WINDOWS\system32ghynf.exe
2006-07-31 05:53 36,864 E:\WINDOWS\system32n9nyb.exe
2006-07-31 05:53 36,864 E:\WINDOWS\system32\n9nyb.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32bez6n4r21.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32\iqqr.exe
2006-07-31 05:53 28,672 E:\WINDOWS\system32\bez6n4r21.exe
2006-07-31 05:53 232,749 E:\WINDOWS\pf78.exe
2006-07-31 05:53 21,504 E:\WINDOWS\offun.exe
2006-07-31 05:53 127,578 E:\WINDOWS\system32\tsuninst.exe
2006-07-31 05:53 1,064,304 E:\WINDOWS\nmawqiaA.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="E:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"DeadAIM"="rundll32.exe \"E:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"NeroFilterCheck"="E:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="E:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="E:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"PrinTray"="E:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"ASUS Probe"="e:\\program files\\AsusProb.exe"
"Lexmark X73 Button Monitor"="E:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X73.exe"
"Lexmark X73 Button Manager"="E:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X73.exe"
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
@=""
"URLLSTCK.exe"="E:\\Program Files\\Norton Internet Security Professional\\UrlLstCk.exe"
"Zone Labs Client"="\"E:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"MSConfig"="E:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"vwvogrkg"="E:\\gvchgehc.bat"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="E:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="E:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="E:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"E06AXLRD_-1331953546"="\"E:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F8DB672E-07D9-1033-1004-040408020001}"="\"E:\\Program Files\\Common Files\\{F8DB672E-07D9-1033-1004-040408020001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-itŪ Software Notes Lite.lnk]
"path"="E:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Post-itŪ Software Notes Lite.lnk"
"backup"="E:\\WINDOWS\\pss\\Post-itŪ Software Notes Lite.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\3M\\PSNLite\\PsnLite.exe -RegRun"
"item"="Post-itŪ Software Notes Lite"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Dil^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="E:\\Documents and Settings\\Dil\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="E:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="E:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="E:\\WINDOWS\\system32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Ares Lite Edition\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E06AXLRD_-1331953546]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EDICT"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xbznv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="r?ndll32"
"hkey"="HKCU"
"command"="E:\\WINDOWS\\s?mbols\\r?ndll32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="E:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"




Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
E:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
E:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 08/06/2006 18:08:29.00
ComboFix ver 06.07.15/28 - This logfile is located at E:\ComboFix.txt

ComboFix.2006-08-05.162438.txt
ComboFix.2006-08-06.091007.txt
ComboFix.2006-08-06.161310.txt
ComboFix.2006-08-06.180810.txt

Logfile of HijackThis v1.99.1
Scan saved at 6:09:25 PM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\Explorer.EXE
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
E:\program files\AsusProb.exe
E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\cscript.exe
E:\WINDOWS\system32\cmd.exe
E:\Documents and Settings\Dil\Desktop\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PrinTray] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ASUS Probe] e:\program files\AsusProb.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] E:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [vwvogrkg] E:\gvchgehc.bat
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [E06AXLRD_-1331953546] "E:\Program Files\Microsoft Encarta\Encarta Premium DVD 2006\EDICT.EXE" -m
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - E:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154886465015
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by crazyme, 06 August 2006 - 05:15 PM.


#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:38 PM

Posted 07 August 2006 - 03:43 AM

Hello there crazyme.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

* Please set your system to show hidden files; please see here if you're unsure how to do this.

1) First of all, I see Norton Scriptblocking service present.
I want you to disable it as it may interfere with next fix.

Disable the Script Blocking Service:
  • To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
  • Find ScriptBlocking services, Right-click the service, and then click and then click Properties. On the General tab, under Startup, click Disabled.
  • Under Service Status, click Stop button. Click Apply button.
* Disable the Script Blocking In Norton Settings:
  • Start Norton Antivirus.
  • Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
  • Click Script Blocking.
  • Uncheck Enable Script Blocking (recommended).
  • Click OK
You can reenable it afterwards when everything is clean again.

2) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

E:\WINDOWS\system32\cvn0.exe
E:\WINDOWS\system32\wnstssv.exe
E:\WINDOWS\system32\iko59bc2.dll
E:\WINDOWS\system32\iko59bc2.sys
E:\WINDOWS\srvhwpnzru.exe
E:\WINDOWS\pf78.exe
E:\WINDOWS\system32ghynf.exe
E:\WINDOWS\system32n9nyb.exe
E:\WINDOWS\system32bez6n4r21.exe
E:\WINDOWS\system32\iqqr.exe
E:\WINDOWS\system32\n9nyb.exe
E:\WINDOWS\system32\bez6n4r21.exe
E:\Program Files\Common Files\{F8DB672E-07D9-1033-1004-040408020001}\update.exe
E:\WINDOWS\system32\tsuninst.exe
E:\WINDOWS\system32\pmnnn.exe
E:\WINDOWS\system32\ssqrsqr.dll
E:\WINDOWS\offun.exe
E:\WINDOWS\nmawqiaA.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

3) After the reboot, please find and delete the following folders:

E:\Documents and Settings\Dil\Application Data\SystemDoctor 2006 Free
E:\Program Files\System Files
E:\Program Files\System Icons
E:\Program Files\Common Files\zouu
E:\Program Files\webHancer

4) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vwvogrkg"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F8DB672E-07D9-1033-1004-040408020001}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xbznv]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

5)
Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [vwvogrkg] E:\gvchgehc.bat
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

6) Please download Ewido Anti-Spyware and save the file to your desktop.
This is a free 30 day trial version of the program.
  • Locate the icon on your desktop and double click it to open the set-up program.
  • Follow the instructions on screen to install Ewido.
  • Run the program and you will meet the main screen.
  • Select the icon "Update" then select the "Update now" link
  • Next click the "Start Update" button; a progress bar will show the updates being installed.
  • Now select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Click on "Recommended actions" and then select "Quarantine".
  • Close the program now, we will be running a scan a bit later.
  • You can go ahead and delete the old setup file from your desktop.
7) Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

8) Launch Ewido by double clicking on the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab.
  • Then click on the "Complete System Scan" button.
  • If you have any infections you will be asked for an action - select "apply all actions".
  • Now select the "Reports" icon at the top.
  • Click "Save Report As" and save the text file to your desktop.
  • Close Ewido and reboot back into normal mode.
Please post the results of the Ewido scan in this thread, along with a new Hijackthis log.
David

#15 crazyme

crazyme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 07 August 2006 - 04:48 AM

hi, before i do all this i just wanted to ask a couple questions. should i re-enable the cvn0 and r?ndll processes at startup under msconfig? right now i have them shut off and i dont see a post for getting rid of r?ndll unless it is already specified in one of the above listings. also, the cscript.exe...i am assuming that is the norton script u are talking about. i dont have norton running at the moment. it is not in the taskbar so what should i do to disable cscript.exe other than going into administrative options? thanks i shall work on this when i get back from work.

**
also, which setup file do u mean that i should delete? the exe for Ewido?

6) Please download Ewido Anti-Spyware and save the file to your desktop.
This is a free 30 day trial version of the program.

Locate the icon on your desktop and double click it to open the set-up program.
Follow the instructions on screen to install Ewido.
Run the program and you will meet the main screen.
Select the icon "Update" then select the "Update now" link
Next click the "Start Update" button; a progress bar will show the updates being installed.
Now select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Click on "Recommended actions" and then select "Quarantine".
Close the program now, we will be running a scan a bit later.
You can go ahead and delete the old setup file from your desktop.

Edited by crazyme, 07 August 2006 - 05:21 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users