Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple_irp_complete_requests ? Windows Keeps Crashing


  • This topic is locked This topic is locked
22 replies to this topic

#1 barrett101

barrett101

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 18 October 2006 - 06:41 AM

Hi i also managed to do a HJT scan on monday night, before the system became really unstable. I've just managed to get it onto a floppy so here it is.

I know that i have a seriously un-updated system, (still haven't managed to update sp1 or sp2) but i need to get some files off the system before i can re-install windows, and thus removing partitions to enable space to install the updates, i only have 86mb free on windows drive at present.

well here's the log:

(Moderator edit: log post moved to HJT log Forum for team analysis and member assistance. Original post in Windows XP forum after several previous posts and responses here:

http://www.bleepingcomputer.com/forums/t/68725/multiple-irp-complete-requests-windows-keeps-crashing/

- Enthusiast)


Logfile of HijackThis v1.99.1
Scan saved at 8:24:05 PM, on 16/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://apcstart.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;0;
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2B8FDC01-80EA-7865-5AB5-03299482206F} - C:\WINDOWS\System32\arfflki.dll
O2 - BHO: (no name) - {D7D27D95-9E21-43A1-8230-2F31D34F378C} - C:\WINDOWS\System32\fccab.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [fvbqgz.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fvbqgz.dll,ewougub
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\User\LOCALS~1\Temp\15459\gm.exe
O4 - HKLM\..\Run: [f1cacf29.exe] C:\WINDOWS\System32\f1cacf29.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [f1cacf29.exe] C:\Documents and Settings\User\Local Settings\Application Data\f1cacf29.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\User\LOCALS~1\Temp\53584.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://apcstart.com/
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\autorun\x86\bin\nskey.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148593956136
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB5AD6F-05AF-495D-9F51-36FEC371DF9D}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{48C2A467-E003-4938-8CD1-B927BA156D63}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EC2832B-737E-45FE-8271-0EFA3E62FA42}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{617CF154-4E18-4C84-A6ED-7C737F7B7FDF}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2637A9F-B51F-42C5-9C6A-281E7F11A09E}: NameServer = 194.60.108.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\fmihgri.dll
O21 - SSODL: mVJqkR - {0A3618E8-A09C-B242-8C82-3E504EB10F46} - C:\WINDOWS\System32\wkrqg.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Program Files\dopewars-1.5.10\dopewars.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Edited by Enthusiast, 18 October 2006 - 07:37 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:08 PM

Posted 19 October 2006 - 11:00 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

I'm aware of your space issue, but I must persist with the advice given to you last month. If you can not update Windows it is going to be a waste of our time to clean you up. You need to look at repartitioning your drive in order to apply the updates to Windows. Once you have installed SP1 post a new hijackthis log and I'll be happy to assist you the rest of the way. :flowers:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 19 October 2006 - 10:04 PM

OK,
I'll have to start that at present i am having this issue that the computer crashes quite regularly. Before i can even attampt to install updates i need to fix this issue. I will copy the posts i made earlier.

#4 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 19 October 2006 - 10:09 PM

Hi. My computer keeps crashing and displaying the blue screen of death. displaying the MULTIPLE_IRP_COMPLETE_REQUESTS
The technical information reads:
*** STOP: 0x00000044 (0xFFB3D268, 0x00000D60, 0x00000000, 0x00000000)

Any ideas what is up. I recently also started having the alert from windows security alerting that windows was infected with spyware, click here and windows will download software to fix it.

The system doesn't allow me time to do anything, usually crashing within 2 minutes. Even in SAFE mode it still crashes before i have time to load a program..


>
OK i've managed to get access to the event viewer.
Listed in the catagories are:
Application x2 errors

1: Date:18/10/2006 source: Userenv Time:3:18.03
User: NT AUTHORITY\SYSTEM
Description: Windows couldn't log the RSoP session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

2: Source:McLogEvent Time: 3:19.17
User: NT AUTHORITY\System
Description: MCSCAN 32 Engine Initialisation failed. Engine returned error : The DAT files failed or are missing.

System x6 errors
1: Source: DCOM Time: 3:19:17
User: NT AUTHORITY\SYSTEM Event ID: 10005
Description: DCOM got error "the service cannot be started, either because it is disabled or because it it has no enabled devices associated with it." attempting to start the service winmgmt with arguements "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

2: Source: DCOM Time: 3:19:17
User: NT AUTHORITY\SYSTEM Event ID: 10005
Description: DCOM got error "the service cannot be started, either because it is disabled or because it it has no enabled devices associated with it." attempting to start the service winmgmt with arguements "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

3: Source: DCOM Time: 3:19:58
User: BAZZA\User Event ID: 10005
Description: DCOM got error "the service cannot be started, either because it is disabled or because it it has no enabled devices associated with it." attempting to start the service winmgmt with arguements "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

4: Source:SideBySIde Time: 3:21:00
User: N/A Event ID: 32
Description: Dependent Assembly Microsoft. Windows. Common-Controls could not be found and last error was The referenced assembly is not installed on your system

5: Source: SideBySide Time: 3:21:00
User: N/A Event ID: 59
Description: Resolve partial Assembly failed for Microsoft Windows. Common-Controls. Reference error message. The referenced assembly is not installed on your system

6: Source: SideBySide Time: 3:21:00
User: N/A Event ID: 59
Description: Generate Activation Context failed for C:\DOCUME~1\User\LOCALS~1\Temp\tmpf0.exe. Reference error message. The operation completed successfully


Any of these make sense????




SOmething else i've noticed too is when i attempt to load in normal mode, while windows is still loading, an alert pops up labeled MSConfi saying: Windows cannot find 'MSConfi". Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, then click Search.
When i click OK another alert pops up labeled Desktop saying: Could not load or run 'MSConfi' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.



let me know your thoughts...

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:08 PM

Posted 20 October 2006 - 07:52 AM

Let's see what we can remove manually and get you stable enough to get those security updates installed. You'll need to perform these steps in safe mode.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2B8FDC01-80EA-7865-5AB5-03299482206F} - C:\WINDOWS\System32\arfflki.dll
O2 - BHO: (no name) - {D7D27D95-9E21-43A1-8230-2F31D34F378C} - C:\WINDOWS\System32\fccab.dll (file missing)
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [fvbqgz.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fvbqgz.dll,ewougub
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\User\LOCALS~1\Temp\15459\gm.exe
O4 - HKLM\..\Run: [f1cacf29.exe] C:\WINDOWS\System32\f1cacf29.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [f1cacf29.exe] C:\Documents and Settings\User\Local Settings\Application Data\f1cacf29.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\User\LOCALS~1\Temp\53584.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\autorun\x86\bin\nskey.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\fmihgri.dll
O21 - SSODL: mVJqkR - {0A3618E8-A09C-B242-8C82-3E504EB10F46} - C:\WINDOWS\System32\wkrqg.dll (file missing)
O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Program Files\dopewars-1.5.10\dopewars.exe (file missing)
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)



=============


Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • Make sure "Hide extensions for known file types" is unchecked
  • Make sure "Hide protected operating system files (recommended)" is unchecked
  • For more info on how to show hidden files click here.
=============


Delete these files:

C:\WINDOWS\System32\arfflki.dll
C:\Program Files\MediaGateway <-- delete this folder
C:\WINDOWS\System32\ntsystem.exe
C:\WINDOWS\System32\testtestt.exe
C:\WINDOWS\System32\fvbqgz.dll
c:\windows\system32\_mzu_stonedrv3.exe
C:\WINDOWS\System32\f1cacf29.exe
C:\Documents and Settings\User\Local Settings\Application Data\f1cacf29.exe
C:\WINDOWS\System32\taskdir.exe
C:\WINDOWS\System32\fmihgri.dll
C:\Windows\xpupdate.exe




============



Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
==============


Go to My Computer and right click on Local Disk(C:).
Select Properties -> Tools.
Under Error Checking click on Check Now...
Check both boxes and click Start.
Click Yes at the prompt and reboot your computer.

Once scandisc completes, go right back to the same place and click Defragment Now...



===============


Now let's get some tools that we are going to need. You may have to transfer these over from another computer if you can not download them on this one.

Killbox by Option^Explicit

ComboFix

Gmer


===============


I need to see some new logs from you.

1. Please post a new hijackthis log.

2. I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.
3. Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 21 October 2006 - 04:15 AM

Ok Here are the logs after doing those tasks.
I have to mention that while running Combofix, it came up with an alert:
c:\Program~\Symantec\s32evnt1.dll. An unstable virtual device driver failed DLL initialization. Choose close to terminate.
I chose to ignore and continue the program.
Also i could not delete :
Windows/Sys32/fmihgri.dll
It said either i didn't have permission, or it was being used.
I noticed some of the items in the HJT log i checked to fix or repair di d not delete, and are still in the log...

Also, the last time i was able to save the HJT log, on Monday 16th. I was able to use the system that day and i had since installed Avast antivirus, although with the system unstable i wasn't able to re-run HJT after that.

Heres the Logs anyway:

Logfile of HijackThis v1.99.1
Scan saved at 5:10:56 PM, on 21/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\norton\True Sword\aswUpdSv.exe
E:\Program Files\norton\True Sword\ashServ.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\norton\TRUESW~1\ashDisp.exe
C:\WINDOWS\System32\ntsystem.exe
E:\Program Files\norton\True Sword\ashMaiSv.exe
E:\Program Files\norton\True Sword\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;0;<local>
F3 - REG:win.ini: run=??? ??? ??? ? ? WS\PCHealth\HelpCtr\Binaries\MSConfi
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\User\LOCALS~1\Temp\15459\gm.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\norton\TRUESW~1\ashDisp.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\User\LOCALS~1\Temp\53584.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://apcstart.com/
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148593956136
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB5AD6F-05AF-495D-9F51-36FEC371DF9D}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{48C2A467-E003-4938-8CD1-B927BA156D63}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EC2832B-737E-45FE-8271-0EFA3E62FA42}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{617CF154-4E18-4C84-A6ED-7C737F7B7FDF}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2637A9F-B51F-42C5-9C6A-281E7F11A09E}: NameServer = 194.60.108.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CS4\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\norton\True Sword\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\norton\True Sword\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\norton\True Sword\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\norton\True Sword\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Program Files\dopewars-1.5.10\dopewars.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)


Uninstall list:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
avast! Antivirus
ccCommon
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
e-tax 2006
e-tax 2006 - FTB Module
HijackThis 1.99.1
HLPIndex
HLPRFO
KSU
Microsoft Office XP Professional with FrontPage
Multimedia Card Reader
NETGEAR 108 Mbps Wireless PC Card WG511T
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Notifier
OTtBP
OTtBPSDK
Palmcorder USB Device Driver 3.01
PCForrest StartMan 1.3.96
PowerDVD
QuickTime
Remove Startup Programs Buddy 2.1
SFR
SHASTA
SKIN0001
SKINXSDK
SPBBC
Spybot - Search & Destroy 1.4
Symantec
Tweak UI
VPRINTOL
WashAndGo
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q307271 for more information]
Windows XP Hotfix (SP1) [See Q321856 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
WIRELESS




ComboFix 06.10.19 - Running from: "C:\New Folder"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{F35D52C9-EF35-4509-B2B6-641B1FEB8BDB}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F35D52C9-EF35-4509-B2B6-641B1FEB8BDB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F35D52C9-EF35-4509-B2B6-641B1FEB8BDB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F35D52C9-EF35-4509-B2B6-641B1FEB8BDB}\InprocServer32]
@="C:\\WINDOWS\\system32\\CUMMTB32.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{C82149CB-5926-483C-932D-9ED974637CB0}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C82149CB-5926-483C-932D-9ED974637CB0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{C82149CB-5926-483C-932D-9ED974637CB0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C82149CB-5926-483C-932D-9ED974637CB0}\InprocServer32]
@="C:\\WINDOWS\\system32\\ksdgr1.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{8DDE302A-A4C2-4C60-B67C-46B583DE0D01}]
@=""

[HKEY_CLASSES_ROOT\clsid\{8DDE302A-A4C2-4C60-B67C-46B583DE0D01}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{8DDE302A-A4C2-4C60-B67C-46B583DE0D01}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{8DDE302A-A4C2-4C60-B67C-46B583DE0D01}\InprocServer32]
@="C:\\WINDOWS\\system32\\dwspex.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{C80FFB95-CD86-4A02-AC7A-3823455D0DA5}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C80FFB95-CD86-4A02-AC7A-3823455D0DA5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{C80FFB95-CD86-4A02-AC7A-3823455D0DA5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C80FFB95-CD86-4A02-AC7A-3823455D0DA5}\InprocServer32]
@="C:\\WINDOWS\\system32\\jjt.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{A3FBC33E-7B43-438A-9906-F071A57CC8F8}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{A3FBC33E-7B43-438A-9906-F071A57CC8F8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{A3FBC33E-7B43-438A-9906-F071A57CC8F8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A3FBC33E-7B43-438A-9906-F071A57CC8F8}\InprocServer32]
@="C:\\WINDOWS\\system32\\kom2sp.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{D7778FDF-64DD-4D8D-B4AB-374B0764806B}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{D7778FDF-64DD-4D8D-B4AB-374B0764806B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{D7778FDF-64DD-4D8D-B4AB-374B0764806B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{D7778FDF-64DD-4D8D-B4AB-374B0764806B}\InprocServer32]
@="C:\\WINDOWS\\system32\\kxdbene.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{A6B3B78C-88E5-4440-8D16-E4F2F7B2A6D8}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A6B3B78C-88E5-4440-8D16-E4F2F7B2A6D8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{A6B3B78C-88E5-4440-8D16-E4F2F7B2A6D8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A6B3B78C-88E5-4440-8D16-E4F2F7B2A6D8}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{43CE613E-CF38-4E00-9443-BBD4B374E1D9}]
@=""

[HKEY_CLASSES_ROOT\clsid\{43CE613E-CF38-4E00-9443-BBD4B374E1D9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{43CE613E-CF38-4E00-9443-BBD4B374E1D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{43CE613E-CF38-4E00-9443-BBD4B374E1D9}\InprocServer32]
@="C:\\WINDOWS\\system32\\kxddv.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{851D26D1-BF7F-4A46-AA81-1CE1ECF9EAFA}]
@=""

[HKEY_CLASSES_ROOT\clsid\{851D26D1-BF7F-4A46-AA81-1CE1ECF9EAFA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{851D26D1-BF7F-4A46-AA81-1CE1ECF9EAFA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{851D26D1-BF7F-4A46-AA81-1CE1ECF9EAFA}\InprocServer32]
@="C:\\WINDOWS\\system32\\MSNET32.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{A2653795-37AC-498C-B1D5-9188F4760C37}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A2653795-37AC-498C-B1D5-9188F4760C37}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{A2653795-37AC-498C-B1D5-9188F4760C37}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A2653795-37AC-498C-B1D5-9188F4760C37}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{2839F061-E11E-4F3E-B5AF-75E2A495BA56}]
@=""

[HKEY_CLASSES_ROOT\clsid\{2839F061-E11E-4F3E-B5AF-75E2A495BA56}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{2839F061-E11E-4F3E-B5AF-75E2A495BA56}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{2839F061-E11E-4F3E-B5AF-75E2A495BA56}\InprocServer32]
@="C:\\WINDOWS\\system32\\du32gt.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\mqrating.dll
C:\WINDOWS\SYSTEM32\wmnntbbu.dll
C:\WINDOWS\SYSTEM32\ckyptext.dll
C:\WINDOWS\SYSTEM32\szrof32.dll
C:\WINDOWS\SYSTEM32\mhihnd.dll
C:\WINDOWS\SYSTEM32\lkrt.dll
C:\WINDOWS\SYSTEM32\cwmrepl.dll
C:\WINDOWS\SYSTEM32\cHmocx.dll
C:\WINDOWS\SYSTEM32\rfpwsx.dll
C:\WINDOWS\SYSTEM32\oldbse32.dll
C:\WINDOWS\SYSTEM32\cuyptsvc.dll
C:\WINDOWS\SYSTEM32\iritpki.dll
C:\WINDOWS\SYSTEM32\dnconfig.dll
C:\WINDOWS\SYSTEM32\dwmclien.dll
C:\WINDOWS\SYSTEM32\jjt.dll
C:\WINDOWS\SYSTEM32\mdjdbc10.dll
C:\WINDOWS\SYSTEM32\kkdusr.dll
C:\WINDOWS\SYSTEM32\alicap32.dll
C:\WINDOWS\SYSTEM32\mlpatcha.dll
C:\WINDOWS\SYSTEM32\miwdat10.dll
C:\WINDOWS\SYSTEM32\cylbact.dll
C:\WINDOWS\SYSTEM32\mzvcp60.dll
C:\WINDOWS\SYSTEM32\CUMMTB32.DLL
C:\WINDOWS\SYSTEM32\ksdgr1.dll
C:\WINDOWS\SYSTEM32\dwspex.dll
C:\WINDOWS\SYSTEM32\dttrans.dll
C:\WINDOWS\SYSTEM32\MGSLGN32.DLL
C:\WINDOWS\SYSTEM32\kadpo.dll
C:\WINDOWS\SYSTEM32\kxddv.dll
C:\WINDOWS\SYSTEM32\sqrobj.dll
C:\WINDOWS\SYSTEM32\aymparse.dll
C:\WINDOWS\SYSTEM32\kjdcan.dll
C:\WINDOWS\SYSTEM32\smell32.dll
C:\WINDOWS\SYSTEM32\ngtshell.dll
C:\WINDOWS\SYSTEM32\fp6603jse.dll
C:\WINDOWS\SYSTEM32\rnfsaps.dll
C:\WINDOWS\SYSTEM32\mgapsspc.dll
C:\WINDOWS\SYSTEM32\sjhedsvc.dll
C:\WINDOWS\SYSTEM32\ir2sl5f71.dll
C:\WINDOWS\SYSTEM32\fp2o03f3e.dll
C:\WINDOWS\SYSTEM32\irlml5311.dll
C:\WINDOWS\SYSTEM32\n26q0cj5efo.dll
C:\WINDOWS\SYSTEM32\n4p40e7qeh.dll
C:\WINDOWS\SYSTEM32\aza8lg9u16.dll
C:\WINDOWS\SYSTEM32\p64ulgh9164.dll
C:\WINDOWS\SYSTEM32\jt2007fme.dll
C:\WINDOWS\SYSTEM32\r0r6la9s1d.dll
C:\WINDOWS\SYSTEM32\k8no0i53e8.dll
C:\WINDOWS\SYSTEM32\azaol9731.dll
C:\WINDOWS\SYSTEM32\m2640cjqefoe0.dll
C:\WINDOWS\SYSTEM32\r06u0aj9edo.dll
C:\WINDOWS\SYSTEM32\mvn8l95u1.dll
C:\WINDOWS\SYSTEM32\dnl2013oe.dll
C:\WINDOWS\SYSTEM32\t0r8la9u1d.dll
C:\WINDOWS\SYSTEM32\t6r8lg9u16.dll
C:\WINDOWS\SYSTEM32\ktp0l77m1.dll
C:\WINDOWS\SYSTEM32\ir4sl5h71.dll
C:\WINDOWS\SYSTEM32\r48s0el7ehq.dll
C:\WINDOWS\SYSTEM32\o8840ilqe8qe0.dll
C:\WINDOWS\SYSTEM32\m4ju0e19eh.dll
C:\WINDOWS\SYSTEM32\o0rola931d.dll
C:\WINDOWS\SYSTEM32\k8620ijoe8oc0.dll
C:\WINDOWS\SYSTEM32\s6rslg9716.dll
C:\WINDOWS\SYSTEM32\h44mleh11h4.dll
C:\WINDOWS\SYSTEM32\m2nqlc551f.dll
C:\WINDOWS\SYSTEM32\l2l60c3sef.dll
C:\WINDOWS\SYSTEM32\m4460ehseh460.dll
C:\WINDOWS\SYSTEM32\f4l02e3mgh.dll
C:\WINDOWS\SYSTEM32\k0lqla351d.dll
C:\WINDOWS\SYSTEM32\m8nq0i55e8.dll
C:\WINDOWS\SYSTEM32\mvpol9731.dll
C:\WINDOWS\SYSTEM32\fpl0033me.dll
C:\WINDOWS\SYSTEM32\n8p40i7qe8.dll
C:\WINDOWS\SYSTEM32\g0402ahmgd4a2.dll
C:\WINDOWS\SYSTEM32\fp0o03d3e.dll
C:\WINDOWS\SYSTEM32\p88q0il5e8q.dll
C:\WINDOWS\SYSTEM32\f4l0le3m1h.dll
C:\WINDOWS\SYSTEM32\aza40e7qeh.dll
C:\WINDOWS\SYSTEM32\n86qlij518o.dll
C:\WINDOWS\SYSTEM32\n62ulgf9162.dll
C:\WINDOWS\SYSTEM32\k480lelm1hqa.dll
C:\WINDOWS\SYSTEM32\irp4l57q1.dll




((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\User\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame4.exe
C:\WINDOWS\system32\vxgamet1.exe
C:\WINDOWS\system32\vxgamet2.exe
C:\WINDOWS\system32\vxgame1.exe
C:\WINDOWS\system32\vxgamet3.exe
C:\WINDOWS\system32\vxgame2.exe
C:\WINDOWS\system32\vxgamet4.exe
C:\WINDOWS\system32\dmonwv.dll
C:\Documents and Settings\User\Application Data\Install.dat
C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\system32\maxd641.exe
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys


((((((((((((((((((((((((((((((( Files Created from 2006-09-21 to 2006-10-21 ))))))))))))))))))))))))))))))))))


2006-10-21 16:50 4,096 --a------ C:\WINDOWS\SYSTEM32\ntsystem.exe
2006-10-17 21:14 90,112 --a------ C:\WINDOWS\SYSTEM32\AVASTSS.scr
2006-10-17 21:14 58,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2006-10-17 21:14 51,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2006-10-17 21:14 367,104 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2006-10-17 21:14 35,984 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2006-10-17 21:14 19,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2006-10-17 21:14 13,440 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2006-10-16 20:08 35,889 --a------ C:\WINDOWS\SYSTEM32\spoolsvv.exe
2006-10-16 20:06 6,884 --a------ C:\WINDOWS\SYSTEM32\dlh9jkdq7.exe
2006-10-16 20:06 6,776 --a------ C:\WINDOWS\SYSTEM32\dlh9jkdq6.exe
2006-10-16 20:06 4,275 --a------ C:\WINDOWS\SYSTEM32\dlh9jkdq5.exe
2006-10-16 20:06 2,518 --a------ C:\WINDOWS\SYSTEM32\dlh9jkdq1.exe
2006-10-16 20:06 18,660 --a------ C:\WINDOWS\SYSTEM32\dlh9jkdq2.exe
2006-10-16 20:06 14 --a------ C:\WINDOWS\SYSTEM32\dlh9jkdq8.exe
2006-10-16 19:15 67,716 --a------ C:\WINDOWS\SYSTEM32\taskdir~.exe
2006-10-16 19:00 46,592 --a------ C:\WINDOWS\SYSTEM32\zlbw.dll
2006-10-16 18:50 4,608 --a------ C:\WINDOWS\SYSTEM32\adir.dll
2006-10-16 18:49 67,716 --a------ C:\WINDOWS\SYSTEM32\image1.gif.exe
2006-10-16 18:49 157,184 --a------ C:\WINDOWS\SYSTEM32\fmihgri.dll
2006-10-16 18:49 1,632 --a------ C:\WINDOWS\SYSTEM32\qvxgamet4.exe
2006-10-16 18:49 1,632 --a------ C:\WINDOWS\SYSTEM32\qvxgamet3.exe
2006-10-16 18:49 1,632 --a------ C:\WINDOWS\SYSTEM32\qvxgamet2.exe
2006-10-16 18:48 8,006 --a------ C:\WINDOWS\comdlj32.dll
2006-10-16 18:48 27,234 --a------ C:\WINDOWS\SYSTEM32\_mzu_stonedrv3.exe
2006-10-16 18:48 10,752 --a------ C:\WINDOWS\SYSTEM32\MZU_DRV.sys
2006-10-16 18:48 1,232 --a------ C:\WINDOWS\SYSTEM32\TheMatri1HasYou.exe
2006-10-16 18:07 32,768 --a------ C:\anp.exe
2006-10-15 16:10 4,608 --a------ C:\WINDOWS\SYSTEM32\ntoskrnl.dll
2006-09-22 05:50 253,440 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\WG511v2.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-16 18:46 27234 --a------ C:\WINDOWS\SYSTEM32\_mzu_stonedrv3.exe
2006-09-22 05:45 -------- d-------- C:\Program Files\NETGEAR
2006-09-10 06:39 1492 --a------ C:\WINDOWSvundofix.reg
2006-09-10 06:37 9216 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2006-09-09 23:44 106516 --a------ C:\WINDOWS\SYSTEM32\owkwpgfh.dll
2006-09-09 21:16 -------- d-------- C:\Program Files\HijackThis
2006-09-07 22:20 106516 --a------ C:\WINDOWS\SYSTEM32\khcrdtlq.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"taskdir"="C:\\WINDOWS\\System32\\taskdir.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ms"="C:\\DOCUME~1\\User\\LOCALS~1\\Temp\\15459\\gm.exe"
"DSLSTATEXE"="C:\\Program Files\\D-Link\\DSL-200\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\D-Link\\DSL-200\\dslagent.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"avast!"="E:\\PROGRA~1\\norton\\TRUESW~1\\ashDisp.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"gwiz"="C:\\WINDOWS\\System32\\ntsystem.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,01,00,00,00,80,02,00,00,39,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Abau"="\"C:\\PROGRA~1\\aDOBE\\csrss.exe\" -vt yazr"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Abau"="\"C:\\PROGRA~1\\aDOBE\\csrss.exe\" -vt yazr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"gwiz"="C:\\WINDOWS\\System32\\ntsystem.exe"
"System"="C:\\WINDOWS\\System32\\testtestt.exe"
"fvbqgz.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\fvbqgz.dll,ewougub"
"_mzu_stonedrv3"="c:\\windows\\system32\\_mzu_stonedrv3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SystemTools"="C:\\WINDOWS\\System32\\testtestt.exe"
"_mzu_stonedrv3"="c:\\windows\\system32\\_mzu_stonedrv3.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NetDDEsrv

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-21 18:55:18.22
C:\ComboFix.txt ... 06-10-21 18:55

Edited by barrett101, 21 October 2006 - 04:18 AM.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:08 PM

Posted 21 October 2006 - 05:45 PM

Part of your problem is that you have three antiviruses installed and trying to run at the same time. You should never have more than one. Please uninstall two of these three programs.

Norton
Mcafee
Avast


Let me know which one you decide to keep and I'll assist you in completely cleaning up the others.


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

F3 - REG:win.ini: run=??? ??? ??? ? ? WS\PCHealth\HelpCtr\Binaries\MSConfi
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\User\LOCALS~1\Temp\15459\gm.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\User\LOCALS~1\Temp\53584.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90



==============


I'm assuming that you were able to download Killbox.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\SYSTEM32\ntsystem.exe
    C:\WINDOWS\SYSTEM32\spoolsvv.exe
    C:\WINDOWS\SYSTEM32\dlh9jkdq7.exe
    C:\WINDOWS\SYSTEM32\dlh9jkdq6.exe
    C:\WINDOWS\SYSTEM32\dlh9jkdq5.exe
    C:\WINDOWS\SYSTEM32\dlh9jkdq1.exe
    C:\WINDOWS\SYSTEM32\dlh9jkdq2.exe
    C:\WINDOWS\SYSTEM32\dlh9jkdq8.exe
    C:\WINDOWS\SYSTEM32\taskdir~.exe
    C:\WINDOWS\SYSTEM32\zlbw.dll
    C:\WINDOWS\SYSTEM32\adir.dll
    C:\WINDOWS\SYSTEM32\image1.gif.exe
    C:\WINDOWS\SYSTEM32\fmihgri.dll
    C:\WINDOWS\SYSTEM32\qvxgamet4.exe
    C:\WINDOWS\SYSTEM32\qvxgamet3.exe
    C:\WINDOWS\SYSTEM32\qvxgamet2.exe
    C:\WINDOWS\comdlj32.dll
    C:\WINDOWS\SYSTEM32\_mzu_stonedrv3.exe
    C:\WINDOWS\SYSTEM32\MZU_DRV.sys
    C:\WINDOWS\SYSTEM32\TheMatri1HasYou.exe
    C:\anp.exe
    C:\WINDOWS\SYSTEM32\ntoskrnl.dll
    C:\WINDOWS\SYSTEM32\owkwpgfh.dll
    C:\WINDOWS\SYSTEM32\khcrdtlq.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
=============



Unzip Gmer to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.


=============


Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 22 October 2006 - 06:04 AM

OK.
I did have Norton and Mcafee, but i was sure they were both deleted. So at present i should only have Avast.

I ran the Killbox program, the only alert that came up was that to "click to reboot". No other alert,
log below.

While runnig the GMER program, As soon as it had loaded an alert came up that Gmer had found system modifications caused by ROOTKIT activity.


Well heres the logs.::--

Pocket Killbox version 2.0.0.881
Running on Windows XP as User(Administrator)
was started @ Sunday, October 22, 2006, 8:09 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\ntsystem.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\spoolsvv.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\dlh9jkdq7.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\dlh9jkdq6.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\dlh9jkdq5.exe


# 6 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\dlh9jkdq1.exe


# 7 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\dlh9jkdq2.exe


# 8 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\dlh9jkdq8.exe


# 9 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\taskdir~.exe


# 10 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\zlbw.dll


# 11 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\adir.dll


# 12 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\image1.gif.exe


# 13 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\fmihgri.dll


# 14 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\qvxgamet4.exe


# 15 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\qvxgamet3.exe


# 16 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\qvxgamet2.exe


# 17 [Delete on Reboot]
Path = C:\WINDOWS\comdlj32.dll


# 18 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\_mzu_stonedrv3.exe


# 19 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\MZU_DRV.sys


# 20 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\TheMatri1HasYou.exe


# 21 [Delete on Reboot]
Path = C:\anp.exe


# 22 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\ntoskrnl.dll


# 23 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\owkwpgfh.dll


# 24 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\khcrdtlq.dll


I Rebooted @ 8:12:32 PM
Killbox Closed(Exit) @ 8:12:38 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as User(Administrator)
was started @ Sunday, October 22, 2006, 8:16 PM








GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-22 20:54:25
Windows 5.1.2600


---- System - GMER 1.0.11 ----

SYSENTER ? F5FAFED5

---- Modules - GMER 1.0.11 ----

Module (noname) (*** hidden *** ) F5FAB000

---- Threads - GMER 1.0.11 ----

Thread 4:892 F5FADF6C

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.11 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0xA5 0x42 0xFA 0x0D ...

---- Files - GMER 1.0.11 ----

File C:\WINDOWS\SYSTEM32\lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----




Logfile of HijackThis v1.99.1
Scan saved at 8:55:29 PM, on 22/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\norton\True Sword\aswUpdSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\norton\TRUESW~1\ashDisp.exe
E:\Program Files\norton\True Sword\ashServ.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
E:\Program Files\norton\True Sword\ashMaiSv.exe
E:\Program Files\norton\True Sword\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;0;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\norton\TRUESW~1\ashDisp.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://apcstart.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148593956136
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB5AD6F-05AF-495D-9F51-36FEC371DF9D}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{48C2A467-E003-4938-8CD1-B927BA156D63}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EC2832B-737E-45FE-8271-0EFA3E62FA42}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{617CF154-4E18-4C84-A6ED-7C737F7B7FDF}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2637A9F-B51F-42C5-9C6A-281E7F11A09E}: NameServer = 194.60.108.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CS4\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\norton\True Sword\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\norton\True Sword\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\norton\True Sword\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\norton\True Sword\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Program Files\dopewars-1.5.10\dopewars.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:08 PM

Posted 22 October 2006 - 08:56 AM

I'm going to need you to download another tool for us to use.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386

Files to delete:
C:\WINDOWS\System32\lzx32.sys



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


==============


I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 23 October 2006 - 03:20 AM

Ok here's the results:




ˇĢL o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6

R u n n i n g f r o m r e g i s t r y k e y :

\ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ l c l f i b c v



* * * * * * * * * * * * * * * * * * *



S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ a x e p o u r m . t x t

S c r i p t f i l e o p e n e d s u c c e s s f u l l y .



S c r i p t f i l e r e a d s u c c e s s f u l l y



B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r



* * * * * * * * * * * * * * * * * * *



B e g i n n i n g t o p r o c e s s s c r i p t f i l e :



D r i v e r p e 3 8 6 u n l o a d e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ l z x 3 2 . s y s d e l e t e d s u c c e s s f u l l y .



C o m p l e t e d s c r i p t p r o c e s s i n g .



* * * * * * * * * * * * * * * * * * *



F i n i s h e d ! T e r m i n a t e .




Logfile of HijackThis v1.99.1
Scan saved at 6:13:51 PM, on 23/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\norton\True Sword\aswUpdSv.exe
E:\PROGRA~1\norton\TRUESW~1\ashDisp.exe
E:\Program Files\norton\True Sword\ashServ.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
E:\Program Files\norton\True Sword\ashWebSv.exe
E:\Program Files\norton\True Sword\ashMaiSv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;0;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\norton\TRUESW~1\ashDisp.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://apcstart.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148593956136
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB5AD6F-05AF-495D-9F51-36FEC371DF9D}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{48C2A467-E003-4938-8CD1-B927BA156D63}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EC2832B-737E-45FE-8271-0EFA3E62FA42}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{617CF154-4E18-4C84-A6ED-7C737F7B7FDF}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2637A9F-B51F-42C5-9C6A-281E7F11A09E}: NameServer = 194.60.108.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\norton\True Sword\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\norton\True Sword\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\norton\True Sword\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\norton\True Sword\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Program Files\dopewars-1.5.10\dopewars.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)


Uninstall list

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
avast! Antivirus
ccCommon
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
e-tax 2006
e-tax 2006 - FTB Module
HijackThis 1.99.1
HLPIndex
HLPRFO
KSU
Microsoft Office XP Professional with FrontPage
Multimedia Card Reader
NETGEAR 108 Mbps Wireless PC Card WG511T
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Notifier
OTtBP
OTtBPSDK
Palmcorder USB Device Driver 3.01
PCForrest StartMan 1.3.96
PowerDVD
QuickTime
Remove Startup Programs Buddy 2.1
SFR
SHASTA
SKIN0001
SKINXSDK
SPBBC
Spybot - Search & Destroy 1.4
Symantec
Tweak UI
VPRINTOL
WashAndGo
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q307271 for more information]
Windows XP Hotfix (SP1) [See Q321856 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
WIRELESS

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:08 PM

Posted 23 October 2006 - 05:34 PM

Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

ccCommon
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Symantec



Follow the instructions at this link to for a manual uninstall of Mcafee.
http://ts.mcafeehelp.com/displayDoc.asp?fr...;PopularFAQ=YES


Reboot and post a new log from Combofix and a new hijackthis log.

Edited by Buckeye_Sam, 23 October 2006 - 05:35 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 24 October 2006 - 04:23 PM

Ok i've tried to uninstall those programs in the install/uninstall utility, but they don't appear there...

I manually deleted Mcafee though..
Here's latest logs...

ComboFix 06.10.19 - Running from: "C:\Documents and Settings\User\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))


2006-10-17 21:14 90,112 --a------ C:\WINDOWS\SYSTEM32\AVASTSS.scr
2006-10-17 21:14 58,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2006-10-17 21:14 51,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2006-10-17 21:14 367,104 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2006-10-17 21:14 35,984 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2006-10-17 21:14 19,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2006-10-17 21:14 13,440 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-22 05:45 -------- d-------- C:\Program Files\NETGEAR
2006-09-10 06:39 1492 --a------ C:\WINDOWSvundofix.reg
2006-09-10 06:37 9216 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2006-09-09 21:16 -------- d-------- C:\Program Files\HijackThis


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DSLSTATEXE"="C:\\Program Files\\D-Link\\DSL-200\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\D-Link\\DSL-200\\dslagent.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"avast!"="E:\\PROGRA~1\\norton\\TRUESW~1\\ashDisp.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,01,00,00,00,80,02,00,00,39,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Abau"="\"C:\\PROGRA~1\\aDOBE\\csrss.exe\" -vt yazr"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Abau"="\"C:\\PROGRA~1\\aDOBE\\csrss.exe\" -vt yazr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"gwiz"="C:\\WINDOWS\\System32\\ntsystem.exe"
"System"="C:\\WINDOWS\\System32\\testtestt.exe"
"fvbqgz.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\fvbqgz.dll,ewougub"
"_mzu_stonedrv3"="c:\\windows\\system32\\_mzu_stonedrv3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SystemTools"="C:\\WINDOWS\\System32\\testtestt.exe"
"_mzu_stonedrv3"="c:\\windows\\system32\\_mzu_stonedrv3.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NetDDEsrv

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-25 7:17:34.76
C:\ComboFix2.txt ... 06-10-21 18:55
C:\ComboFix.txt ... 06-10-25 07:17



Logfile of HijackThis v1.99.1
Scan saved at 7:18:31 AM, on 25/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\norton\True Sword\aswUpdSv.exe
E:\Program Files\norton\True Sword\ashServ.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
E:\Program Files\norton\True Sword\ashWebSv.exe
E:\Program Files\norton\True Sword\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\norton\TRUESW~1\ashDisp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;0;<local>
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\norton\TRUESW~1\ashDisp.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://apcstart.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148593956136
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB5AD6F-05AF-495D-9F51-36FEC371DF9D}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{48C2A467-E003-4938-8CD1-B927BA156D63}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EC2832B-737E-45FE-8271-0EFA3E62FA42}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{617CF154-4E18-4C84-A6ED-7C737F7B7FDF}: NameServer = 194.60.108.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2637A9F-B51F-42C5-9C6A-281E7F11A09E}: NameServer = 194.60.108.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O17 - HKLM\System\CS2\Services\Tcpip\..\{1AAF7024-029F-4A2B-AA41-EF7FDA7A55AB}: NameServer = 194.60.108.74
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\norton\True Sword\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\norton\True Sword\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\norton\True Sword\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\norton\True Sword\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Program Files\dopewars-1.5.10\dopewars.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:08 PM

Posted 24 October 2006 - 08:29 PM

Ok i've tried to uninstall those programs in the install/uninstall utility, but they don't appear there...

They show up in your uninstall list. They should be there. :thumbsup:

I manually deleted Mcafee though..

Well not really because your log still shows running processes for Mcafee.

c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe


Please run through this once more for me and let me know how it goes. If you still can't get Norton and Mcafee uninstalled, then we'll have to do it the hard way.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 24 October 2006 - 08:58 PM

Ok, i'll post some screen shots of the uninstall list. There are actually a few things listed on that uninstall list that aren't on the uninstall utility list.

For the Mcafee, i went through the unistall process/program listed on the link provided. do you want a copy of the log produced from that program?

#15 barrett101

barrett101
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 25 October 2006 - 05:32 AM

Ok i can't add pictures, Below is the uninstall list generated from HJT. The ones bold are in there in my Add or delete list, and the others simply aren't listed. Also there is one in my "add or remove" list, that isn't in the list generated from HJT. There is one called ISScript


Uninstall list

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
avast! Antivirus

ccCommon
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
e-tax 2006
e-tax 2006 - FTB Module
HijackThis 1.99.1

HLPIndex
HLPRFO
KSU
Microsoft Office XP Professional with FrontPage
Multimedia Card Reader
NETGEAR 108 Mbps Wireless PC Card WG511T

Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Notifier
OTtBP
OTtBPSDK
Palmcorder USB Device Driver 3.01
PCForrest StartMan 1.3.96
PowerDVD
QuickTime
Remove Startup Programs Buddy 2.1

SFR
SHASTA
SKIN0001
SKINXSDK
SPBBC
Spybot - Search & Destroy 1.4
Symantec
Tweak UI
VPRINTOL
WashAndGo
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q307271 for more information]
Windows XP Hotfix (SP1) [See Q321856 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]

WIRELESS

Edited by barrett101, 25 October 2006 - 05:35 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users