Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-spy.win32@mx And Others


  • Please log in to reply
13 replies to this topic

#1 BryanLong

BryanLong

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 31 October 2006 - 01:29 AM

Hello team,

I am a Peace Corps Volunteer living in Guatemala who has come home to the states for a brief visit (will only be here until the 9th of Nov) to find my mom's computer infected with spyware, something which has changed the homepage on IE, and apparently a trojan called trojan-spy.win32@mx

Any help curing it would be appreciated. I have followed the appropriate steps (Ad-aware, stinger, AVG, etc). Here is my Hijack this Log. Thanks -Bryan

Logfile of HijackThis v1.99.1
Scan saved at 12:21:44 AM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\VideoKeyCodec\isamonitor.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\VideoKeyCodec\pmmon.exe
C:\Program Files\VideoKeyCodec\isamini.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VideoKeyCodec\pmsngr.exe
C:\Documents and Settings\ibm\Local Settings\Temporary Internet Files\Content.IE5\O5YBKDEZ\HijackThis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\VideoKeyCodec\isaddon.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Protection Bar - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - C:\Program Files\VideoKeyCodec\iesplugin.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ferrateen - {27321538-5739-4aa1-b84c-7d18e4383f1f} - C:\WINDOWS\system32\rrtcany.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 November 2006 - 08:04 PM

Hi BryanLong and Welcome to the Bleeping Computer!


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 BryanLong

BryanLong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 02 November 2006 - 03:52 PM

THANKS!! Here is the log -Bryan

SmitFraudFix v2.117

Scan done at 14:48:28.47, Thu 11/02/2006
Run from C:\Documents and Settings\ibm\Desktop\Bryans Virus Tools\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\rrtcany.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ibm


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ibm\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ibm\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\VideoKeyCodec\ FOUND !
C:\Program Files\VirusBursters\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

[HKEY_CLASSES_ROOT\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 02 November 2006 - 04:58 PM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


After posting C:\rapport.txt,Please download Combofix to your desktop.
http://download.bleepingcomputer.com/sUBs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.

#5 BryanLong

BryanLong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 02 November 2006 - 09:33 PM

THANKS FOR THE QUICK REPLY!! Here is the new log. Going to download combo.exe now. :thumbsup:


SmitFraudFix v2.117

Scan done at 20:19:54.77, Thu 11/02/2006
Run from C:\Documents and Settings\ibm\Desktop\Bryans Virus Tools\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

[HKEY_CLASSES_ROOT\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\rrtcany.dll Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\VideoKeyCodec\ Deleted
C:\Program Files\VirusBursters\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#6 BryanLong

BryanLong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 02 November 2006 - 09:37 PM

HERES THE COMBO LOG

ibm - 06-11-02 20:32:27.23 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\ibm\Desktop\Bryans Virus Tools"

((((((((((((((((((((((((((((((( Files Created from 2006-10-02 to 2006-11-02 ))))))))))))))))))))))))))))))))))


2006-10-30 18:31 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-30 18:31 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-10-29 22:47 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-29 22:47 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-10-29 22:47 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-29 22:47 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-29 22:47 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-10-29 22:47 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-10-29 22:47 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-29 22:47 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-10-02 17:59 1,026,714 --a------ C:\VonageSignUp.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-02 12:02 -------- d-------- C:\Documents and Settings\ibm\Application Data\AVG7
2006-10-31 09:27 -------- d-------- C:\Documents and Settings\ibm\Application Data\Mozilla
2006-10-31 00:16 -------- d-------- C:\Program Files\HijackThis
2006-10-30 23:52 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-30 23:07 -------- d-------- C:\Program Files\Zone Labs
2006-10-30 18:31 -------- d-------- C:\Documents and Settings\ibm\Application Data\PC Tools
2006-10-30 10:18 -------- d-------- C:\Program Files\CCleaner
2006-10-30 09:48 -------- d-------- C:\Program Files\Ad-Protect
2006-10-30 09:46 -------- d-------- C:\Documents and Settings\ibm\Application Data\AdProtect NoSpam
2006-10-30 00:08 -------- d-------- C:\Program Files\Lavasoft
2006-10-30 00:08 -------- d-------- C:\Documents and Settings\ibm\Application Data\Lavasoft
2006-10-29 22:47 -------- d-------- C:\Program Files\Grisoft
2006-10-29 22:24 -------- d-------- C:\Documents and Settings\ibm\Application Data\MSN6
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\WALGRE~1\\WALGRE~1\\data\\Xtras\\mssysmgr.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"TrackPointSrv"="tp4serv.exe"
"ATIModeChange"="Ati2mdxx.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"UC_SMB"=""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"StorageGuard"="\"c:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\BMMTask.job

Completion time: 06-11-02 20:33:22.53
C:\ComboFix.txt ... 06-11-02 20:33

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 November 2006 - 04:06 AM

Looking good so far! :thumbsup:


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#8 BryanLong

BryanLong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 06 November 2006 - 03:01 PM

Thanks! Here is the new report

Result: 38 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System

Trojan-Downloader.Win32.Zlob.atg (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017580.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017581.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017679.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017680.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017682.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017683.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017684.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017686.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017687.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017688.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017335.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017336.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017392.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017393.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017403.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017404.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017447.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017448.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017536.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017537.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017555.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017061.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017062.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017210.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017211.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017242.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017243.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017263.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017264.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017277.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017278.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017295.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017296.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017304.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017305.EXE (Renamed & Submitted)

not-virus:Hoax.Win32.Renos.ap (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017678.DLL (Submitted)

Statistics
Scanned:

* Files: 25630
* System: 3759
* Not scanned: 4

Actions:

* Disinfected: 1
* Renamed: 35
* Deleted: 0
* None: 2
* Submitted: 36

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{40632E6E-6603-4170-B290-211FA6597DD3}.BIN

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-11-06
* F-Secure Libra: 2.4.1, 2006-11-04
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Orion: 1.2.37, 2006-11-06
* F-Secure Pegasus: 1.19.0, 2006-08-29
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 November 2006 - 05:56 PM

I like those results,everything is inside System Restore,which we will clean up once Im sure the machine is clean.



Please run the Bit Defender Online Scan
http://www.bitdefender.com/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here along with a fresh HijackThis log,please.

#10 BryanLong

BryanLong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 06 November 2006 - 11:46 PM

HERE IS THE FIRST REPORT I WILL POST THE HIJACK THIS LOG SEPERATELY. THANKS -Bryan

BitDefender Online Scanner

Scan report generated at: Mon, Nov 06, 2006 - 22:38:46

Scan path: C:\;D:\;E:\;

Statistics

Time


01:51:45

Files

629952

Folders


3959

Boot Sectors


4

Archives


9168

Packed Files


71075


Results

Identified Viruses


3

Infected Files


20

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


20



Engines Info

Virus Definitions


312708

Engine build


AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins


13

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\I386\AGENTSVR.EX_=>agentsvr.exe


Infected with: Win32.Mixor.A@mm

C:\I386\AGENTSVR.EX_=>agentsvr.exe


Disinfection failed

C:\I386\AGENTSVR.EX_=>agentsvr.exe


Deleted

C:\I386\AGENTSVR.EX_


Update failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017062.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017062.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017062.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017211.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017211.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017211.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017243.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017243.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017243.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017264.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017264.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017264.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017278.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017278.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017278.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017296.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017296.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017296.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017305.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017305.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP281\A0017305.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017336.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017336.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017336.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017392.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017392.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017392.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017403.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017403.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017403.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017447.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017447.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017447.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017537.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017537.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017537.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017555.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017555.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP282\A0017555.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017581.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017581.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017581.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017682.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017682.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017682.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017683.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017683.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017683.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017684.0XE


Infected with: Trojan.Downloader.Zlob.AW

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017684.0XE


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017684.0XE


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017796.exe=>(NSIS o)=>zlib_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.BGI

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017796.exe=>(NSIS o)=>zlib_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017796.exe=>(NSIS o)=>zlib_solid_nsis0006


Deleted

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP283\A0017796.exe=>(NSIS o)


Update failed

C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe


Infected with: Win32.Mixor.A@mm

C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe


Disinfection failed

C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe


Deleted

#11 BryanLong

BryanLong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 06 November 2006 - 11:54 PM

HERE IS THE NEW HIJACK THIS LOG. THANKS

Logfile of HijackThis v1.99.1
Scan saved at 10:48:10 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by104fd.bay104.hotmail.msn.com/cgi-...7f843a7102c910a
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 November 2006 - 04:52 PM

I noticed you dont have a resident Antivirus installed?

Im not so sure that Spyware Doctor and Zone Alarm are going to be the proper match to keep you secure.

I have no problems with Spyware Doctor but I prefer to see a real piece of Antivirus software on all machines.


I have a list of decent free Antivirus Software if your interested?


Please install,update and scan the entire system with one of the following free Antivirus Software Programs

AntiVir® PersonalEdition Classic

AVG Free for Windows

BitDefender 8 Free Edition

avast! 4 Home Edition

#13 BryanLong

BryanLong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 07 November 2006 - 11:12 PM

Yeah, I should have posted this..

I had AVGs professional installed which I used for 30 days. I am leaving the country tomorrow and wanted to take it off. Since then I have installed the AVG free edition to leave on my (mom's) computer. THanks for all your help.

Anything else that you noticed?

Seems to be working great. -Bryan

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 November 2006 - 05:51 AM

Id like to see one more scan before you leave but if this isnt possible,just run the scan when you have the time.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users