Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud


  • Please log in to reply
20 replies to this topic

#1 JagerBob13

JagerBob13

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 15 December 2006 - 11:59 PM

Hello, I am new to this and am not sure if I was supposed to start a new thread or not, but I did.

I have read through some of the other topics and will post some of the normally required text files.

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:30 PM, on 12/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20000\121054519.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKLM\..\Run: [qfyqakn.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\qfyqakn.dll",xysmkvf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [FrameWork 2.5] FrameWork.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?b438b86f4ad44a4383dd3cb94cfa5756
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?b438b86f4ad44a4383dd3cb94cfa5756
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444138843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444124859
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\System32\ehtygt32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ipv7 - Unknown owner - C:\WINDOWS\ipv7.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



SmitFraudFix v2.128 Report:

SmitFraudFix v2.128

Scan done at 22:23:08.42, Fri 12/15/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\zlbw.dll FOUND !

C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

Scanning wininet.dll infection


End



Spybot SD Report:


--- Search result list ---
SystemDoctor2006: Executable (File, fixed)
c:\arqk.exe

SystemDoctor2006: Executable (File, fixed)
c:\duprcchg.exe

SystemDoctor2006: Executable (File, fixed)
c:\tnvulxgo.exe

SystemDoctor2006: Executable (File, fixed)
c:\wgjy.exe

SpySheriff: Text file (File, fixed)
C:\WINDOWS\system32\svcp.csv

Smitfraud-C.: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc

Smitfraud-C.: Library (File, fixing failed)
C:\WINDOWS\system32\rpcc.dll

Smitfraud-C.: Library (File, fixed)
C:\WINDOWS\system32\adir.dll

Smitfraud-C.: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts

Smitfraud-C.: Autorun settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1409082233-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskdir

Smitfraud-C.: Library (File, fixed)
C:\WINDOWS\system32\zlbw.dll

Smitfraud-C.: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1409082233-1177238915-839522115-1003\WindowsSubVersion

Smitfraud-C.: Web page (File, fixed)
C:\WINDOWS\system32\winsub.xml

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Microsoft.WindowsSecurityCenter.SP2Update: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Torpig: Temporary file (File, fixed)
C:\WINDOWS\Temp\$_2341234.TMP

Torpig: Temporary file (File, fixed)
C:\WINDOWS\Temp\$_2341233.TMP

Tibs.vq: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1409082233-1177238915-839522115-1003\ColorTable19

Tibs.vq: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1409082233-1177238915-839522115-1003\ColorTable20

Win32.Lager.aq: Executable (File, fixed)
C:\WINDOWS\system32\se.exe.exe

Win32.Lager.aq: Executable (File, fixed)
C:\WINDOWS\system32\ss.exe.exe

Win32.Lager.aq: Executable (File, fixed)
C:\WINDOWS\system32\w.exe.exe

Advertising.com: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


Zedo: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


FastClick: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


AdRevolver: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


AdRevolver: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


DoubleClick: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


TagASaurus: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-02 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-08 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2006-12-08 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-08 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-08 Includes\KeyloggersC.sbi (*)
2006-12-08 Includes\Malware.sbi (*)
2006-12-08 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-08 Includes\PUPSC.sbi (*)
2006-12-08 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2006-12-08 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-08 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-08 Includes\Trojans.sbi (*)
2006-12-08 Includes\TrojansC.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB918439
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB918899
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB925486
/ Outlook Express 6 / SP1: Windows XP Hotfix - KB911567
/ Windows Media Player 8: Security Update for Windows Media Player 8 (KB917734)
/ Windows XP / SP2: Windows XP Hotfix - KB822603
/ Windows XP / SP2: Update for Windows XP (KB835409)
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Security Update for Windows XP (KB905495)
/ Windows XP / SP2: Security Update for Windows XP (KB914798)
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q327979
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q328213
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329048
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329909
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q331953
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811789
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q813862
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815485
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q816979
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q816981
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q816982
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)


--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 50880
MD5: 0a0acc6852a00997987fdf8a914755a5

Located: HK_LM:Run, ccRegVfy
command: C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
file: C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
size: 34504
MD5: b3847ac31520a40d3ff96a9bfcc066c0

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 9216
MD5: 8fcac2eab2e1207333c487f232b0fdb3

Located: HK_LM:Run, Microsoft WPCEmail
command: C:\WINDOWS\inet20000\svchost.exe
file:

Located: HK_LM:Run, Nord
command: C:\WINDOWS\System32\nordsys.exe
file: C:\WINDOWS\System32\nordsys.exe
size: 15967
MD5: fe1cda3c600780aa490faa7c1448f7e3

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 322c0ca054adad71494c5542d10e1665

Located: HK_LM:Run, qfyqakn.dll
command: C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\qfyqakn.dll",xysmkvf
file: C:\WINDOWS\System32\rundll32.exe
size: 31744
MD5: 322c0ca054adad71494c5542d10e1665

Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
size: 100056
MD5: f9418981ee4d7e995d359833adab59d5

Located: HK_LM:Run, system spool
command: C:\WINDOWS\System32\syspools.exe
file: C:\WINDOWS\System32\syspools.exe
size: 18015
MD5: 9ce539a7b271efebffc560825b3bd36a

Located: HK_LM:Run, Zone Labs Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 968696
MD5: 71514e2c74d554f5902dc184046eca3b

Located: HK_LM:RunServices, FrameWork 2.5
command: FrameWork.exe
file:

Located: HK_LM:RunOnce, Spybot - Search & Destroy
command: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09ca174a605b480318731e691dc98539

Located: HK_CU:Run, Nord
command: C:\WINDOWS\System32\nordsys.exe
file: C:\WINDOWS\System32\nordsys.exe
size: 15967
MD5: fe1cda3c600780aa490faa7c1448f7e3

Located: HK_CU:Run, system spool
command: C:\WINDOWS\System32\syspools.exe
file: C:\WINDOWS\System32\syspools.exe
size: 18015
MD5: 9ce539a7b271efebffc560825b3bd36a

Located: Startup (disabled), HP Digital Imaging Monitor (DISABLED)
command: C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
file: C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
size: 282624
MD5: 4c733d1770150e2db09a21022906bf30

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, rpcc
command: C:\WINDOWS\System32\rpcc.dll
file: C:\WINDOWS\System32\rpcc.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---
{14D1A72D-8705-11D8-B120-0040F46CB696} (edit_html Class)
BHO name:
CLSID name: edit_html Class
Path: C:\WINDOWS\inet20000\
Long name: 121054519.dll

{5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
BHO name:
CLSID name: DriveLetterAccess
description: Hewlett-Packard's DLA software
classification: Unknown
known filename: tfswshx.dll
info link:
info source: TonyKlein
Path: C:\WINDOWS\system32\dla\
Long name: tfswshx.dll
Short name:
Date (created): 11/1/2006 6:25:56 PM
Date (last access): 12/15/2006 10:30:34 PM
Date (last write): 8/6/2003 1:04:00 AM
Filesize: 106548
Attributes: archive
MD5: 15F6F27916A2D2AF3ABF029F6CF3037B
CRC32: 808FB6C8
Version: 1.4.5.1

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: ssv.dll
Short name:
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 434279
Attributes: archive
MD5: D62E335F137D9E0F9F4DBE09564959B1
CRC32: 72699310
Version: 5.0.90.3

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 7/7/2006 12:29:52 PM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 7/7/2006 12:29:52 PM
Filesize: 324416
Attributes: archive
MD5: 52A70C80A446FA3BBCDAF59A9AB26AF4
CRC32: B1456034
Version: 4.0.249.1

{BDF3E430-B101-42AD-A544-FADC6B084872} (NAV Helper)
BHO name: NAV Helper
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 11/1/2006 7:52:34 PM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 11/15/2002 12:09:06 AM
Filesize: 112248
Attributes: archive
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
CRC32: 04DD2C8F
Version: 9.5.0.15



--- ActiveX list ---
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/microsoftupdat...b?1162444138843
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: wuweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 5/26/2005 4:19:32 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 5.8.0.2469

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdat...b?1162444124859
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 5/26/2005 4:19:32 AM
Filesize: 178408
Attributes: archive
MD5: EE37AA2C0700221CD8B02FADCD4C7FB5
CRC32: F5494B06
Version: 5.8.0.2469

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3

{B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class)
DPF name:
CLSID name: ZoneIntro Class
Installer:
Codebase: http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
description:
classification: Legitimate
known filename: ZIntro.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ZIntro.ocx
Short name:
Date (created): 11/27/2006 4:03:22 PM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 11/27/2006 4:03:22 PM
Filesize: 151080
Attributes: archive
MD5: D7DC7336A1758679259C09E88D6C1A0E
CRC32: 3D28955F
Version: 9.5.3083.1

{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_08
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_08\bin\
Long name: NPJPI150_08.dll
Short name: NPJPI1~1.DLL
Date (created): 7/26/2006 3:03:18 AM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 7/26/2006 3:17:56 AM
Filesize: 69746
Attributes: archive
MD5: C10D603F2BD3B0A2EAC4EC5B743430D3
CRC32: 1EB99B36
Version: 5.0.80.3

{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwa...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 12/15/2006 10:47:32 PM
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object
Installer: C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Codebase: http://download.games.yahoo.com/games/web_...aploader_v6.cab
description:
classification: Legitimate
known filename: POPCAPLOADER.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: popcaploader.dll



--- Process list ---
PID: 0 ( 0) [System]
PID: 508 ( 4) \SystemRoot\System32\smss.exe
PID: 572 ( 508) \??\C:\WINDOWS\system32\csrss.exe
PID: 596 ( 508) \??\C:\WINDOWS\system32\winlogon.exe
PID: 640 ( 596) C:\WINDOWS\system32\services.exe
size: 101376
MD5: E3DF4A0252D287C44606EE55355E1623
PID: 652 ( 596) C:\WINDOWS\system32\lsass.exe
size: 11776
MD5: B2B6BA905D0E3F8A32A0EB3B4051807B
PID: 820 ( 640) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 936 ( 640) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1080 ( 640) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1144 ( 640) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1256 ( 596) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 212 ( 200) C:\WINDOWS\Explorer.EXE
size: 1004032
MD5: A82B28BFC2E4455FE43022A498C0EF0A
PID: 972 ( 212) C:\Program Files\Internet Explorer\iexplore.exe
size: 91136
MD5: 6F2F9D738B6F6478F90FEFE4BEB63C4A
PID: 344 ( 212) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 12/15/2006 10:52:17 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.ca/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{50213291-7592-4C96-9662-5ED806EDCD6C}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{50213291-7592-4C96-9662-5ED806EDCD6C}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D01A37CA-FF1E-4170-AD82-E3AA7F1235F1}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D01A37CA-FF1E-4170-AD82-E3AA7F1235F1}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EDC52D59-66A9-44AA-8BF1-E883C4691B2B}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EDC52D59-66A9-44AA-8BF1-E883C4691B2B}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F6396A1B-145D-4509-A049-0A120ECB0ADA}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F6396A1B-145D-4509-A049-0A120ECB0ADA}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace



--- Uninstall list ---
(AddressBook)

AOL Uninstaller (Choose which Products to Remove) (AOL Uninstaller)
uninstall cmd: C:\Program Files\Common Files\AOL\uninstaller.exe

AVG Anti-Spyware 7.5 (AVGAntiSpyware75)
install location: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5
uninstall cmd: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
publisher: Grisoft Ltd.
help link: http://www.grisoft.com

Azureus 2.5.0.0 (Azureus)
install location: C:\Program Files\Azureus
uninstall cmd: C:\Program Files\Azureus\Uninstall.exe

(Branding)

(Connection Manager)

(DirectAnimation)

(DirectDrawEx)

(dlatray.exe)
uninstall cmd: C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

(Fontcore)

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Program Files\Hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

Hijackthis 1.99.1 (Hijackthis_is1)
install location: C:\Program Files\Hijackthis\
uninstall cmd: "C:\Program Files\Hijackthis\unins000.exe"
publisher: Soeperman Enterprises Ltd
help link: http://www.merijn.org

HP Imaging Device Functions 5.0 5.0 (HP Imaging Device Functions)
uninstall cmd: C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
publisher: HP
help link: http://www.hp.com/support

HP Solution Center & Imaging Support Tools 5.0 5.0 (HP Solution Center & Imaging Support Tools)
uninstall cmd: C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
publisher: HP
help link: http://www.hp.com/support

HP Extended Capabilities 5.0 5.0 (HPExtendedCapabilities)
uninstall cmd: C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
publisher: HP
help link: http://www.hp.com/support

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

(KB884016)

(KB893803)

LiveReg (Symantec Corporation) 2.2.5.1678 (LiveReg)
install location: C:\Program Files\Common Files\Symantec Shared\LiveReg
uninstall cmd: C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
publisher: Symantec Corporation

LiveUpdate 1.80 (Symantec Corporation) 1.80.19.0 (LiveUpdate)
install location: C:\Program Files\Symantec\LiveUpdate
uninstall cmd: C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
publisher: Symantec Corporation

(Microsoft NetShow Player 2.0)

(MobileOptionPack)

(MPlayer2)

(MSI30-Beta1)

(MSI30-Beta2)

(MSI30-KB884016)

(MSI30-RC1)

(MSI30-RC2)

(MSI30a-KB884016)

(MSI31-Beta)

(MSI31-RC1)

(NetMeeting)

NVIDIA Windows 2000/XP Display Drivers (NVIDIA)
uninstall cmd: rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf

(OutlookExpress)

(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Intel® PRO Network Adapters and Drivers (PROSet)
uninstall cmd: Prounstl.exe

(RecordNow.exe)
uninstall cmd: C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}

(SchedulingAgent)

(Sevinst)

(SGTRAY.EXE)
uninstall cmd: C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature

Adobe Flash Player 9 ActiveX 9 (ShockwaveFlash)
uninstall cmd: C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
publisher: Adobe Systems
help link: http://www.adobe.com/go/flashplayer_support/

Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

TVUPlayer 2.2.0 2.2.0 (TVUPlayer)
uninstall cmd: C:\Program Files\TVUPlayer\uninst.exe
publisher: TVU networks, Inc.

Windows Genuine Advantage Validation Tool (KB892130) 1.5.0530.0 (WGA)
install date: 20061102
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=892130

Windows Live Toolbar 03.00.1615 (Windows Live Toolbar)
uninstall cmd: C:\Program Files\Windows Live Toolbar\UnInstall.exe {73B1C023-4490-4A57-A7E1-F20268ECBE52}
publisher: Microsoft Corporation

ZoneAlarm 6.5.737.000 (ZoneAlarm)
uninstall cmd: C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
publisher: Zone Labs, Inc
help link: C:\Program Files\Zone Labs\ZoneAlarm\Help\zaclients.chm

Destinations 53.0.13.000 ({09984AEC-6B9F-4ca7-B78D-CB44D4771DA3})
version: 889192461
version (major): 53
estimated size: 17004
install date: 20061101
install source: d:\setup\Destinations\
publisher: Hewlett-Packard

Sonic Update Manager 2.80 ({09DA4F91-2A09-4232-AB8C-6BC740096DE3})
version: 38797312
version (major): 2
version (minor): 80
estimated size: 1703
install date: 20061101
install source: C:\WINDOWS\TEMP\VIES53CA\DLA\UM\
uninstall cmd: MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
publisher: Sonic Solutions

Sonic DLA 4.50 ({1206EF92-2E83-4859-ACCB-2048C3CB7DA6})
version: 70385664
version (major): 4
version (minor): 50
estimated size: 2676
install date: 20061101
install source: C:\WINDOWS\TEMP\VIES53CA\DLA\
uninstall cmd: MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
publisher: Sonic Solutions
help link: http://support.dell.com/

HP Software Update 3.0.5.001 ({15EE79F4-4ED1-4267-9B0F-351009325D7D})
version: 50331653
version (major): 3
estimated size: 3861
install date: 20061101
install source: d:\setup\HPSoftwareUpdate\
uninstall cmd: MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
publisher: HEWLET~1|Hewlett-Packard
contact: http://www.hp.com/support

Windows Live Sign-in Assistant 4.000.249.1 ({22B3CC30-77B8-419C-AA4B-F571FDF5D66D})
version: 67109113
version (major): 4
estimated size: 1112
install date: 20061102
install source: C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
publisher: Microsoft Corporation

TrayApp 53.0.13.000 ({30C19FF2-7FBA-4d09-B9DE-1659977F64F6})
version: 889192461
version (major): 53
estimated size: 805
install date: 20061101
install source: d:\setup\TrayApp\
publisher: Hewlett-Packard

Rhapsody Player Engine 1.0.636 ({30C2FCD0-FF7B-4FFA-8DDE-43A22E01A1E7})
version: 16777852
version (major): 1
estimated size: 1493
install date: 20061102
install source: C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /I{30C2FCD0-FF7B-4FFA-8DDE-43A22E01A1E7}
publisher: RealNetworks
comments: The Rhapsody Player Engine is a Web browser plugin used for Rhapsody On The Web.
contact: RealNetworks
help link: http://www.rhapsody.com

J2SE Runtime Environment 5.0 Update 8 1.5.0.80 ({3248F0A8-6813-11D6-A77B-00B0D0150080})
version: 17104896
version (major): 1
version (minor): 5
estimated size: 122857
install date: 20061101
install source: http://jdl.sun.com/webapps/download/GetFil.../windows-i586//
uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
publisher: Sun Microsystems, Inc.
contact: http://java.com
help link: http://java.com
readme: C:\Program Files\Java\jre1.5.0_08\README.txt

J2SE Runtime Environment 5.0 Update 9 1.5.0.90 ({3248F0A8-6813-11D6-A77B-00B0D0150090})
version: 17104896
version (major): 1
version (minor): 5
estimated size: 122865
install date: 20061101
install source: http://jdl.sun.com/webapps/download/GetFil.../windows-i586//
uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
publisher: Sun Microsystems, Inc.
contact: http://java.com
help link: http://java.com
readme: C:\Program Files\Java\jre1.5.0_09\README.txt

WebFldrs XP 9.50.6513 ({350C97B0-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154278257
version (major): 9
version (minor): 50
estimated size: 2508
install date: 20061101
install source: C:\WINDOWS\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

HP Deskjet 3900 series 5.0 ({3819891A-030B-4a4e-98ED-B28A649E48AB})
uninstall cmd: C:\Program Files\HP\Digital Imaging\{3819891A-030B-4a4e-98ED-B28A649E48AB}\setup\hpzscr01.exe -datfile hpfscr05.dat
publisher: HP
help link: http://www.hp.com/support

HPDeskjet3900Series 1.00.0000 ({42F6BED9-41DD-40F1-85A8-8E0350493626})
version: 16777216
version (major): 1
estimated size: 20913
install date: 20061101
install source: d:\setup\DeskjetSoftware\
publisher: Hewlett-Packard

WebReg 53.0.13.000 ({56F8AFC3-FA98-4ff1-9673-8A026CBF85BE})
version: 889192461
version (major): 53
estimated size: 557
install date: 20061101
install source: d:\setup\WebReg\
publisher: Hewlett-Packard

MarketResearch 53.0.13.000 ({5B622B7A-60FB-4630-B11D-F121D20BCCD6})
version: 889192461
version (major): 53
estimated size: 2880
install date: 20061101
install source: d:\setup\MarketResearch\
publisher: Hewlett-Packard

DeviceFunctionQFolder 1.00.0000 ({5F26311C-B135-4F7F-B11E-8E650F83651E})
version: 16777216
version (major): 1
install date: 20061101
install source: d:\setup\QFolder\
publisher: Hewlett-Packard

({644F9DBE-CEDB-45AF-ACB8-E26692B74F62})

eSupportQFolder 1.00.0000 ({66E6CE0C-5A1E-430C-B40A-0C90FF1804A8})
version: 16777216
version (major): 1
install date: 20061101
install source: d:\setup\QFolder\
publisher: Hewlett-Packard

CustomerResearchQFolder 1.00.0000 ({6F5E2F4A-377D-4700-B0E3-8F7F7507EA15})
version: 16777216
version (major): 1
install date: 20061101
install source: d:\setup\QFolder\
publisher: Hewlett-Packard

Windows Live Toolbar 03.00.1615 ({73B1C023-4490-4A57-A7E1-F20268ECBE52})
version: 50333263
version (major): 3
estimated size: 8600
install date: 20061102
install source: C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{73B1C023-4490-4A57-A7E1-F20268ECBE52}
publisher: Microsoft Corporation

Tabbed Browsing (Windows Live Toolbar) 03.00.1615 ({7DED5635-B47C-4B0F-9AD0-8765D15FD94F})
version: 50333263
version (major): 3
estimated size: 1752
install date: 20061102
install source: C:\DOCUME~1\Owner\LOCALS~1\Temp\
uninstall cmd: MsiExec.exe /X{7DED5635-B47C-4B0F-9AD0-8765D15FD94F}
publisher: Microsoft Corporation

Microsoft Office Basic Edition 2003 11.0.5614.0 ({91130409-6000-11D3-8CFE-0150048383C9})
version: 184554990
version (major): 11
estimated size: 178903
install date: 20061103
install source: C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\
uninstall cmd: MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\OFFICE11\1033\OFREADME.HTM

Sonic RecordNow! 6.5.0 ({9541FED0-327F-4DF0-8B96-EF57EF622F19})
version: 100990976
version (major): 6
version (minor): 5
estimated size: 25515
install date: 20061101
install source: D:\RN\ENU\
uninstall cmd: MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
publisher: Sonic Solutions
help link: http://support.sonic.com/desktop/

Windows Live Toolbar MSN Extension (Windows Live Toolbar) 03.00.1615 ({9E7E97D2-3F83-460D-9348-CE40A21E2CA6})
version: 50333263
version (major): 3
estimated size: 442
install date: 20061102
install source: C:\DOCUME~1\Owner\LOCALS~1\Temp\
uninstall cmd: MsiExec.exe /X{9E7E97D2-3F83-460D-9348-CE40A21E2CA6}
publisher: Microsoft Corporation

DeviceManagementQFolde

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:07 AM

Posted 16 December 2006 - 04:00 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions.
There is a possibility some of the instructions will need to be carried out where internet access is not available.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and that you don't miss out any steps.
If you have any queries about the process or just general questions, just ask.

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change all your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

Download the Rustock.b removal tool from the link below...and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically.
After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log in your next reply.
Please post the Hijackthis log from normal mode.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

#3 JagerBob13

JagerBob13
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 16 December 2006 - 05:48 PM

hello, first off, thanks for the help

Here are the 3 log files you requested, after this I will rebott in safe mode without networking.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tdkvhslr

*******************

Script file located at: \??\C:\WINDOWS\yiwndqbi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

********************** Rustock.b-fix -- By ejvindh *************************
Sat 12/16/2006 16:18:06.96


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 68250
Total size: 68250 bytes.
Attempting to remove ADS...
system32: deleted 68250 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************

~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:38:16 PM, on 12/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\nordsys.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\syspools.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ipv7.exe
C:\WINDOWS\System32\msasvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\dumprep.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20000\121054519.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKLM\..\Run: [qfyqakn.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\qfyqakn.dll",xysmkvf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [FrameWork 2.5] FrameWork.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?b438b86f4ad44a4383dd3cb94cfa5756
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?b438b86f4ad44a4383dd3cb94cfa5756
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444138843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444124859
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\System32\ehtygt32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ipv7 - Unknown owner - C:\WINDOWS\ipv7.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 JagerBob13

JagerBob13
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 16 December 2006 - 05:57 PM

OK, so I rebooted into safe mode without networking and ran my smitfraud fix again, here is the logfile.

SmitFraudFix v2.128

Scan done at 16:47:30.14, Sat 12/16/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



also just so you know, after I rebooted into normal windows this time I again got a message I have always assumed as fake stating that my computer's registry may need to be fixed click here to download fix, i (as always) cancelled out of it.

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:07 AM

Posted 17 December 2006 - 01:07 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20000\121054519.dll (file missing)
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKLM\..\Run: [qfyqakn.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\qfyqakn.dll",xysmkvf
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - HKLM\..\RunServices: [FrameWork 2.5] FrameWork.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\System32\ehtygt32.dll (file missing)
O23 - Service: ipv7 - Unknown owner - C:\WINDOWS\ipv7.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\inet20000
C:\WINDOWS\System32\nordsys.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\qfyqakn.dll
C:\WINDOWS\System32\syspools.exe
C:\WINDOWS\System32\FrameWork.exe
C:\WINDOWS\System32\rpcc.dll
C:\WINDOWS\System32\ehtygt32.dll
C:\WINDOWS\ipv7.exe
C:\WINDOWS\System32\msasvc.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Open notepad and copy and paste the following text in the quote box into the window:

sc stop MsaSvc
sc delete MsaSvc
sc stop ipv7
sc delete ipv7

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

Download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Please post those 3 logs in your next reply. :thumbsup:

#6 JagerBob13

JagerBob13
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 17 December 2006 - 04:07 PM

WOW what a difference, you have been a saviour, thanks.

here are the 3 log files you asked for.

~~~~~~~~~~~~~~~

12/17/06 14:40:56 [Info]: BlackLight Engine 1.0.47 initialized
12/17/06 14:40:56 [Info]: OS: 5.1 build 2600 (Service Pack 1)
12/17/06 14:40:56 [Note]: 7019 4
12/17/06 14:40:56 [Note]: 7005 0
12/17/06 14:40:59 [Note]: 7006 0
12/17/06 14:40:59 [Note]: 7011 236
12/17/06 14:40:59 [Note]: 7026 0
12/17/06 14:40:59 [Note]: 7026 0
12/17/06 14:41:06 [Note]: FSRAW library version 1.7.1020
12/17/06 14:46:40 [Note]: 7007 0

~~~~~~~~~~~~~~~

Owner - 06-12-17 14:47:17.73 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-17 to 2006-12-17 ))))))))))))))))))))))))))))))))))


2006-12-17 14:32 <DIR> d-------- C:\!KillBox
2006-12-16 16:47 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-16 16:47 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-16 16:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-16 16:47 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-16 16:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-16 16:47 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-16 16:22 <DIR> d-------- C:\avenger
2006-12-16 16:18 <DIR> d-------- C:\Rustbfix
2006-12-15 22:07 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-15 22:07 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-15 22:06 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-15 22:05 <DIR> d-------- C:\Program Files\zone alarm
2006-12-15 21:57 6,239 --a------ C:\Documents and Settings\Owner\W6I58BI.exe
2006-12-15 21:57 6,199 --a------ C:\Documents and Settings\Owner\d03J0VW.exe
2006-12-15 21:54 6,239 --a------ C:\Documents and Settings\Owner\gi7SGHt.exe
2006-12-15 21:54 6,199 --a------ C:\Documents and Settings\Owner\dmuHKMH.exe
2006-12-15 20:08 6,239 --a------ C:\Documents and Settings\Owner\uN3w0he.exe
2006-12-15 19:25 <DIR> d-------- C:\Program Files\Ultimate Cleaner
2006-12-15 19:20 72,704 --a------ C:\oaciow.exe
2006-12-15 19:20 1,941 --a------ C:\ragjo.exe
2006-12-15 19:18 6,239 --a------ C:\Documents and Settings\Owner\t0UPWK8.exe
2006-12-15 19:18 6,199 --a------ C:\Documents and Settings\Owner\Jc2ML2O.exe
2006-12-13 22:50 6,239 --a------ C:\Documents and Settings\Owner\P35.exe
2006-12-13 22:50 6,199 --a------ C:\Documents and Settings\Owner\fp8ghxX.exe
2006-12-13 21:24 21,760 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-12-13 12:03 38,069 --a------ C:\WINDOWS\system32\z2731.exe
2006-12-13 12:00 6,239 --a------ C:\WINDOWS\system32\Fw7Q1hl.exe
2006-12-13 12:00 38,069 --a------ C:\WINDOWS\system32\z2834.exe
2006-12-12 19:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2006-12-12 19:33 <DIR> d-------- C:\Program Files\Azureus
2006-12-11 13:58 6,239 --a------ C:\WINDOWS\system32\IlO0j7w.exe
2006-12-10 00:53 2,964 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-10 00:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-10 00:49 <DIR> d-------- C:\Program Files\Grisoft
2006-12-10 00:46 <DIR> d-------- C:\Program Files\Hijackthis
2006-12-10 00:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-10 00:10 38,069 --a------ C:\WINDOWS\system32\z2385.exe
2006-12-09 23:45 38,069 --a------ C:\WINDOWS\system32\z2670.exe
2006-12-09 23:28 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-09 23:26 73,728 --a------ C:\WINDOWS\system32\install.exe
2006-12-09 23:26 68,250 --a------ C:\WINDOWS\system32\lzx32.sys
2006-12-09 22:58 45,056 --a------ C:\Documents and Settings\Owner\wpcem.exe
2006-12-09 16:12 89,088 --a------ C:\WINDOWS\system32\qfyqakn.dll
2006-12-09 16:12 38,069 --a------ C:\WINDOWS\system32\z2724.exe
2006-12-09 16:11 81,920 --a------ C:\WINDOWS\system32\Packet.dll
2006-12-09 16:11 61,440 --a------ C:\WINDOWS\system32\WanPacket.dll
2006-12-09 16:11 54,367 --a------ C:\WINDOWS\system32\google.png.exe
2006-12-09 16:11 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2006-12-09 16:11 5,120 --a------ C:\WINDOWS\system32\z2883.exe
2006-12-09 16:11 32,512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2006-12-09 16:11 233,472 --a------ C:\WINDOWS\system32\wpcap.dll
2006-12-09 16:11 18,015 --a------ C:\WINDOWS\system32\w.exe
2006-12-09 11:42 114 --a------ C:\WINDOWS\system32\xgiz.bat
2006-12-09 11:41 126 --a------ C:\WINDOWS\system32\comj.bat
2006-12-09 11:34 126 --a------ C:\WINDOWS\system32\emvkkbp.bat
2006-12-09 11:31 6,656 --a------ C:\vubes.exe
2006-12-05 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2006-12-04 10:52 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-12-04 10:52 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-12-04 10:52 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-12-04 10:52 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-12-04 10:52 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-12-04 10:52 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-12-01 19:25 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-12-01 19:25 8,064 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-12-01 19:25 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-12-01 19:25 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-12-01 19:25 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-12-01 19:25 14,592 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-12-01 19:25 10,752 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-12-01 19:24 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2006-12-01 19:24 73,728 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2006-12-01 19:24 69,632 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2006-12-01 19:24 57,344 -ra------ C:\WINDOWS\system32\LVComC.dll
2006-12-01 19:24 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-12-01 19:24 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2006-12-01 19:24 44,416 --a------ C:\WINDOWS\system32\drivers\STREAM.SYS
2006-12-01 19:24 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-12-01 19:24 220,079 -ra------ C:\WINDOWS\system32\drivers\LV551AV.sys
2006-12-01 19:24 167,936 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2006-12-01 19:24 16,384 --a------ C:\WINDOWS\system32\msyuv.dll
2006-12-01 19:24 131,712 --a------ C:\WINDOWS\system32\drivers\ks.sys
2006-12-01 19:24 131,072 -ra------ C:\WINDOWS\system32\SP5X_32.DLL
2006-12-01 19:24 12,112 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2006-12-01 19:24 110,592 -ra------ C:\WINDOWS\system32\LVUI2.dll
2006-12-01 19:24 102,400 -ra------ C:\WINDOWS\system32\LVComS.exe
2006-11-30 18:47 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-11-29 23:28 717,404 ---hs---- C:\WINDOWS\system32\hjkkj.bak1
2006-11-29 23:27 704,564 ---hs---- C:\WINDOWS\system32\jkkjh.dll
2006-11-25 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-17 14:36 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-17 14:36 -------- d-------- C:\Program Files\Common Files
2006-12-15 21:16 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sonic
2006-12-13 21:35 -------- d-------- C:\Program Files\Windows Live Toolbar
2006-12-10 00:42 -------- d-------- C:\Program Files\Common Files\AOL
2006-12-10 00:16 -------- d-------- C:\Program Files\Trend Micro
2006-12-09 14:43 66048 --a------ C:\WINDOWS\system32\notepad.exe
2006-12-09 14:43 34304 --a------ C:\WINDOWS\system32\rcimlby.exe
2006-12-09 12:35 98304 --a------ C:\WINDOWS\system32\verifier.exe
2006-12-09 12:35 8192 --a------ C:\WINDOWS\system32\winhlp32.exe
2006-12-09 12:35 77824 --a------ C:\WINDOWS\system32\wmpstub.exe
2006-12-09 12:35 77824 --a------ C:\WINDOWS\system32\usrmlnka.exe
2006-12-09 12:35 69632 --a------ C:\WINDOWS\system32\usrshuta.exe
2006-12-09 12:35 61440 --a------ C:\WINDOWS\system32\usrprbda.exe
2006-12-09 12:35 60416 --a------ C:\WINDOWS\system32\wextract.exe
2006-12-09 12:35 5632 --a------ C:\WINDOWS\system32\write.exe
2006-12-09 12:35 49664 --a------ C:\WINDOWS\system32\w32tm.exe
2006-12-09 12:35 47616 --a------ C:\WINDOWS\system32\utilman.exe
2006-12-09 12:35 414720 --a------ C:\WINDOWS\system32\wiaacmgr.exe
2006-12-09 12:35 40960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-12-09 12:35 4096 --a------ C:\WINDOWS\system32\winver.exe
2006-12-09 12:35 4096 --a------ C:\WINDOWS\system32\unlodctr.exe
2006-12-09 12:35 346624 --a------ C:\WINDOWS\system32\tourstart.exe
2006-12-09 12:35 33792 --a------ C:\WINDOWS\system32\vssadmin.exe
2006-12-09 12:35 32256 --a------ C:\WINDOWS\system32\wupdmgr.exe
2006-12-09 12:35 31744 --a------ C:\WINDOWS\system32\tracert6.exe
2006-12-09 12:35 31232 --a------ C:\WINDOWS\system32\wpabaln.exe
2006-12-09 12:35 29184 --a------ C:\WINDOWS\system32\wpnpinst.exe
2006-12-09 12:35 28160 --a------ C:\WINDOWS\system32\xcopy.exe
2006-12-09 12:35 275456 --a------ C:\WINDOWS\system32\vssvc.exe
2006-12-09 12:35 266752 --a------ C:\WINDOWS\winhlp32.exe
2006-12-09 12:35 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-12-09 12:35 25600 --a------ C:\WINDOWS\twunk_32.exe
2006-12-09 12:35 25600 --a------ C:\WINDOWS\system32\verclsid.exe
2006-12-09 12:35 22016 --a------ C:\WINDOWS\system32\userinit.exe
2006-12-09 12:35 16896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-12-09 12:35 16896 --a------ C:\WINDOWS\system32\tftp.exe
2006-12-09 12:35 16384 --a------ C:\WINDOWS\system32\ups.exe
2006-12-09 12:35 16384 --a------ C:\WINDOWS\system32\tskill.exe
2006-12-09 12:35 15360 --a------ C:\WINDOWS\taskman.exe
2006-12-09 12:35 14848 --a------ C:\WINDOWS\system32\upnpcont.exe
2006-12-09 12:35 14848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-12-09 12:35 14848 --a------ C:\WINDOWS\system32\tscon.exe
2006-12-09 12:35 119808 --a------ C:\WINDOWS\system32\winmine.exe
2006-12-09 12:35 118784 --a------ C:\WINDOWS\system32\wscript.exe
2006-12-09 12:35 11776 --a------ C:\WINDOWS\system32\winmsd.exe
2006-12-09 12:35 10752 --a------ C:\WINDOWS\system32\tracert.exe
2006-12-09 12:34 9728 --a------ C:\WINDOWS\system32\sfc.exe
2006-12-09 12:34 9728 --a------ C:\WINDOWS\system32\reset.exe
2006-12-09 12:34 9728 --a------ C:\WINDOWS\system32\regsvr32.exe
2006-12-09 12:34 93184 --a------ C:\WINDOWS\system32\scardsvr.exe
2006-12-09 12:34 9216 --a------ C:\WINDOWS\system32\subst.exe
2006-12-09 12:34 9216 --a------ C:\WINDOWS\system32\print.exe
2006-12-09 12:34 82944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2006-12-09 12:34 8192 --a------ C:\WINDOWS\system32\scrnsave.scr
2006-12-09 12:34 74240 --a------ C:\WINDOWS\system32\rtcshare.exe
2006-12-09 12:34 7168 --a------ C:\WINDOWS\system32\recover.exe
2006-12-09 12:34 71168 --a------ C:\WINDOWS\system32\telnet.exe
2006-12-09 12:34 71168 --a------ C:\WINDOWS\system32\sdbinst.exe
2006-12-09 12:34 69632 --a------ C:\WINDOWS\system32\shrpubw.exe
2006-12-09 12:34 667648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2006-12-09 12:34 66048 --a------ C:\WINDOWS\system32\sigverif.exe
2006-12-09 12:34 638976 --a------ C:\WINDOWS\system32\sstext3d.scr
2006-12-09 12:34 61952 --a------ C:\WINDOWS\system32\rdshost.exe
2006-12-09 12:34 569344 --a------ C:\WINDOWS\system32\sspipes.scr
2006-12-09 12:34 56832 --a------ C:\WINDOWS\system32\sol.exe
2006-12-09 12:34 54272 --a------ C:\WINDOWS\system32\rasphone.exe
2006-12-09 12:34 534016 --a------ C:\WINDOWS\system32\spider.exe
2006-12-09 12:34 53248 --a------ C:\WINDOWS\system32\packager.exe
2006-12-09 12:34 51200 --a------ C:\WINDOWS\system32\syncapp.exe
2006-12-09 12:34 49152 --a------ C:\WINDOWS\system32\rsmui.exe
2006-12-09 12:34 49152 --a------ C:\WINDOWS\system32\rsm.exe
2006-12-09 12:34 48128 --a------ C:\WINDOWS\system32\reg.exe
2006-12-09 12:34 4608 --a------ C:\WINDOWS\system32\regwiz.exe
2006-12-09 12:34 45056 --a------ C:\WINDOWS\system32\proquota.exe
2006-12-09 12:34 44032 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-12-09 12:34 43008 --a------ C:\WINDOWS\system32\ssmypics.scr
2006-12-09 12:34 40448 --a------ C:\WINDOWS\system32\osuninst.exe
2006-12-09 12:34 36864 --a------ C:\WINDOWS\system32\syskey.exe
2006-12-09 12:34 364544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2006-12-09 12:34 3584 --a------ C:\WINDOWS\system32\regedt32.exe
2006-12-09 12:34 33792 --a------ C:\WINDOWS\system32\regini.exe
2006-12-09 12:34 33280 --a------ C:\WINDOWS\system32\shmgrate.exe
2006-12-09 12:34 33280 --a------ C:\WINDOWS\system32\ping6.exe
2006-12-09 12:34 31744 --a------ C:\WINDOWS\system32\rundll32.exe
2006-12-09 12:34 31232 --a------ C:\WINDOWS\system32\sc.exe
2006-12-09 12:34 3072 --a------ C:\WINDOWS\system32\systray.exe
2006-12-09 12:34 28672 --a------ C:\WINDOWS\system32\sethc.exe
2006-12-09 12:34 25600 --a------ C:\WINDOWS\system32\routemon.exe
2006-12-09 12:34 24576 --a------ C:\WINDOWS\system32\rsmsink.exe
2006-12-09 12:34 24064 --a------ C:\WINDOWS\system32\skeys.exe
2006-12-09 12:34 23552 --a------ C:\WINDOWS\system32\sort.exe
2006-12-09 12:34 22016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-12-09 12:34 21504 --a------ C:\WINDOWS\system32\pathping.exe
2006-12-09 12:34 212480 --a------ C:\WINDOWS\system32\osk.exe
2006-12-09 12:34 20992 --a------ C:\WINDOWS\system32\setup.exe
2006-12-09 12:34 205824 --a------ C:\WINDOWS\system32\progman.exe
2006-12-09 12:34 20480 --a------ C:\WINDOWS\system32\stimon.exe
2006-12-09 12:34 19968 --a------ C:\WINDOWS\system32\route.exe
2006-12-09 12:34 19968 --a------ C:\WINDOWS\system32\rcp.exe
2006-12-09 12:34 19456 --a------ C:\WINDOWS\system32\tcpsvcs.exe
2006-12-09 12:34 19456 --a------ C:\WINDOWS\system32\ssmarque.scr
2006-12-09 12:34 19456 --a------ C:\WINDOWS\system32\savedump.exe
2006-12-09 12:34 18944 --a------ C:\WINDOWS\system32\ssbezier.scr
2006-12-09 12:34 18432 --a------ C:\WINDOWS\system32\qprocess.exe
2006-12-09 12:34 17920 --a------ C:\WINDOWS\system32\shutdown.exe
2006-12-09 12:34 17408 --a------ C:\WINDOWS\system32\ssmyst.scr
2006-12-09 12:34 16896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-12-09 12:34 16384 --a------ C:\WINDOWS\system32\runas.exe
2006-12-09 12:34 16384 --a------ C:\WINDOWS\system32\ping.exe
2006-12-09 12:34 15872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-12-09 12:34 15360 --a------ C:\WINDOWS\system32\taskman.exe
2006-12-09 12:34 15360 --a------ C:\WINDOWS\system32\pentnt.exe
2006-12-09 12:34 14848 --a------ C:\WINDOWS\system32\shadow.exe
2006-12-09 12:34 14336 --a------ C:\WINDOWS\system32\perfmon.exe
2006-12-09 12:34 138752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-12-09 12:34 13312 --a------ C:\WINDOWS\system32\ssstars.scr
2006-12-09 12:34 13312 --a------ C:\WINDOWS\system32\rsh.exe
2006-12-09 12:34 132608 --a------ C:\WINDOWS\system32\rsvp.exe
2006-12-09 12:34 129024 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-12-09 12:34 128512 --a------ C:\WINDOWS\system32\taskmgr.exe
2006-12-09 12:34 12800 --a------ C:\WINDOWS\system32\runonce.exe
2006-12-09 12:34 12800 --a------ C:\WINDOWS\system32\replace.exe
2006-12-09 12:34 124416 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-12-09 12:34 12288 --a------ C:\WINDOWS\system32\tcmsetup.exe
2006-12-09 12:34 12288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-12-09 12:34 118784 --a------ C:\WINDOWS\system32\Prounstl.exe
2006-12-09 12:34 11776 --a------ C:\WINDOWS\system32\rexec.exe
2006-12-09 12:34 11776 --a------ C:\WINDOWS\system32\rasautou.exe
2006-12-09 12:34 11264 --a------ C:\WINDOWS\system32\rasdial.exe
2006-12-09 12:34 103936 --a------ C:\WINDOWS\system32\sysocmgr.exe
2006-12-09 12:33 99840 --a------ C:\WINDOWS\system32\iexpress.exe
2006-12-09 12:33 9728 --a------ C:\WINDOWS\system32\mstinit.exe
2006-12-09 12:33 9728 --a------ C:\WINDOWS\system32\label.exe
2006-12-09 12:33 82944 --a------ C:\WINDOWS\system32\netsh.exe
2006-12-09 12:33 8192 --a------ C:\WINDOWS\system32\mountvol.exe
2006-12-09 12:33 8192 --a------ C:\WINDOWS\system32\lpr.exe
2006-12-09 12:33 79360 --a------ C:\WINDOWS\system32\makecab.exe
2006-12-09 12:33 774144 --a------ C:\WINDOWS\system32\mmc.exe
2006-12-09 12:33 7680 --a------ C:\WINDOWS\system32\hostname.exe
2006-12-09 12:33 71680 --a------ C:\WINDOWS\system32\nslookup.exe
2006-12-09 12:33 68096 --a------ C:\WINDOWS\system32\locator.exe
2006-12-09 12:33 67584 --a------ C:\WINDOWS\system32\magnify.exe
2006-12-09 12:33 6656 --a------ C:\WINDOWS\system32\msswchx.exe
2006-12-09 12:33 64512 --a------ C:\WINDOWS\system32\msiexec.exe
2006-12-09 12:33 6144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-12-09 12:33 6144 --a------ C:\WINDOWS\system32\lpq.exe
2006-12-09 12:33 60928 --a------ C:\WINDOWS\system32\ipv6.exe
2006-12-09 12:33 53248 --a------ C:\WINDOWS\system32\odbcconf.exe
2006-12-09 12:33 51712 --a------ C:\WINDOWS\system32\migpwd.exe
2006-12-09 12:33 51712 --a------ C:\WINDOWS\system32\ipconfig.exe
2006-12-09 12:33 51200 --a------ C:\WINDOWS\system32\narrator.exe
2006-12-09 12:33 5120 --a------ C:\WINDOWS\system32\lodctr.exe
2006-12-09 12:33 504320 --a------ C:\WINDOWS\system32\logonui.exe
2006-12-09 12:33 44032 --a------ C:\WINDOWS\system32\ipsec6.exe
2006-12-09 12:33 4096 --a------ C:\WINDOWS\system32\nddeapir.exe
2006-12-09 12:33 395776 --a------ C:\WINDOWS\system32\ntvdm.exe
2006-12-09 12:33 39424 --a------ C:\WINDOWS\system32\net.exe
2006-12-09 12:33 388608 --a------ C:\WINDOWS\system32\mstsc.exe
2006-12-09 12:33 34816 --a------ C:\WINDOWS\system32\msiregmv.exe
2006-12-09 12:33 339968 --a------ C:\WINDOWS\system32\mspaint.exe
2006-12-09 12:33 32768 --a------ C:\WINDOWS\system32\odbcad32.exe
2006-12-09 12:33 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-12-09 12:33 326656 --a------ C:\WINDOWS\system32\netsetup.exe
2006-12-09 12:33 31744 --a------ C:\WINDOWS\system32\ntsd.exe
2006-12-09 12:33 30720 --a------ C:\WINDOWS\system32\netstat.exe
2006-12-09 12:33 29696 --a------ C:\WINDOWS\system32\lights.exe
2006-12-09 12:33 28672 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-12-09 12:33 25088 --a------ C:\WINDOWS\system32\lnkstub.exe
2006-12-09 12:33 24576 --a------ C:\WINDOWS\system32\logagent.exe
2006-12-09 12:33 24064 --a------ C:\WINDOWS\system32\mshta.exe
2006-12-09 12:33 22016 --a------ C:\WINDOWS\system32\mpnotify.exe
2006-12-09 12:33 22016 --a------ C:\WINDOWS\system32\ipxroute.exe
2006-12-09 12:33 219648 --a------ C:\WINDOWS\system32\logon.scr
2006-12-09 12:33 20992 --a------ C:\WINDOWS\system32\msg.exe
2006-12-09 12:33 20480 --a------ C:\WINDOWS\system32\nbtstat.exe
2006-12-09 12:33 15360 --a------ C:\WINDOWS\system32\logoff.exe
2006-12-09 12:33 135680 --a------ C:\WINDOWS\system32\mobsync.exe
2006-12-09 12:33 12800 --a------ C:\WINDOWS\system32\mrinfo.exe
2006-12-09 12:33 126976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-12-09 12:33 123904 --a------ C:\WINDOWS\system32\imapi.exe
2006-12-09 12:33 116736 --a------ C:\WINDOWS\system32\mplay32.exe
2006-12-09 12:33 115200 --a------ C:\WINDOWS\system32\net1.exe
2006-12-09 12:33 105984 --a------ C:\WINDOWS\system32\netdde.exe
2006-12-09 12:32 9216 --a------ C:\WINDOWS\system32\finger.exe
2006-12-09 12:32 9216 --a------ C:\WINDOWS\system32\find.exe
2006-12-09 12:32 9216 --a------ C:\WINDOWS\system32\dumprep.exe
2006-12-09 12:32 8704 --a------ C:\WINDOWS\system32\eventvwr.exe
2006-12-09 12:32 786432 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-12-09 12:32 7168 --a------ C:\WINDOWS\system32\forcedos.exe
2006-12-09 12:32 58368 --a------ C:\WINDOWS\system32\dpvsetup.exe
2006-12-09 12:32 56320 --a------ C:\WINDOWS\system32\fsutil.exe
2006-12-09 12:32 55296 --a------ C:\WINDOWS\system32\freecell.exe
2006-12-09 12:32 55296 --a------ C:\WINDOWS\system32\dvdplay.exe
2006-12-09 12:32 4608 --a------ C:\WINDOWS\system32\dllhst3g.exe
2006-12-09 12:32 45568 --a------ C:\WINDOWS\system32\drwtsn32.exe
2006-12-09 12:32 40960 --a------ C:\WINDOWS\system32\extrac32.exe
2006-12-09 12:32 40448 --a------ C:\WINDOWS\system32\ftp.exe
2006-12-09 12:32 39424 --a------ C:\WINDOWS\system32\esentutl.exe
2006-12-09 12:32 37888 --a------ C:\WINDOWS\system32\grpconv.exe
2006-12-09 12:32 3072 --a------ C:\WINDOWS\system32\fixmapi.exe
2006-12-09 12:32 26112 --a------ C:\WINDOWS\system32\dplaysvr.exe
2006-12-09 12:32 25088 --a------ C:\WINDOWS\system32\findstr.exe
2006-12-09 12:32 204800 --a------ C:\WINDOWS\system32\dmadmin.exe
2006-12-09 12:32 19456 --a------ C:\WINDOWS\system32\fontview.exe
2006-12-09 12:32 18944 --a------ C:\WINDOWS\system32\dpnsvr.exe
2006-12-09 12:32 180224 --a------ C:\WINDOWS\system32\dwwin.exe
2006-12-09 12:32 178688 --a------ C:\WINDOWS\system32\eudcedit.exe
2006-12-09 12:32 15872 --a------ C:\WINDOWS\system32\expand.exe
2006-12-09 12:32 15872 --a------ C:\WINDOWS\system32\dvdupgrd.exe
2006-12-09 12:32 14848 --a------ C:\WINDOWS\system32\help.exe
2006-12-09 12:32 14848 --a------ C:\WINDOWS\system32\fc.exe
2006-12-09 12:32 14336 --a------ C:\WINDOWS\system32\dmremote.exe
2006-12-09 12:32 10752 --a------ C:\WINDOWS\system32\doskey.exe
2006-12-09 12:28 98816 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-12-09 12:28 8192 --a------ C:\WINDOWS\system32\control.exe
2006-12-09 12:28 8192 --a------ C:\WINDOWS\system32\cidaemon.exe
2006-12-09 12:28 80384 --a------ C:\WINDOWS\system32\charmap.exe
2006-12-09 12:28 79360 --a------ C:\WINDOWS\system32\diantz.exe
2006-12-09 12:28 7680 --a------ C:\WINDOWS\system32\ckcnv.exe
2006-12-09 12:28 76288 --a------ C:\WINDOWS\system32\dfrgfat.exe
2006-12-09 12:28 70656 --a------ C:\WINDOWS\system32\defrag.exe
2006-12-09 12:28 61440 --a------ C:\WINDOWS\system32\cleanmgr.exe
2006-12-09 12:28 54784 --a------ C:\WINDOWS\system32\cmstp.exe
2006-12-09 12:28 5120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-12-09 12:28 5120 --a------ C:\WINDOWS\system32\cisvc.exe
2006-12-09 12:28 5120 --a------ C:\WINDOWS\system32\bootvrfy.exe
2006-12-09 12:28 4608 --a------ C:\WINDOWS\system32\bootok.exe
2006-12-09 12:28 45056 --a------ C:\WINDOWS\system32\cliconfg.exe
2006-12-09 12:28 41472 --a------ C:\WINDOWS\system32\cmdl32.exe
2006-12-09 12:28 375808 --a------ C:\WINDOWS\system32\cmd.exe
2006-12-09 12:28 35840 --a------ C:\WINDOWS\system32\cmmon32.exe
2006-12-09 12:28 30720 --a------ C:\WINDOWS\system32\clipsrv.exe
2006-12-09 12:28 27136 --a------ C:\WINDOWS\system32\ddeshare.exe
2006-12-09 12:28 24576 --a------ C:\WINDOWS\system32\conime.exe
2006-12-09 12:28 18432 --a------ C:\WINDOWS\system32\cacls.exe
2006-12-09 12:28 17920 --a------ C:\WINDOWS\system32\diskperf.exe
2006-12-09 12:28 17408 --a------ C:\WINDOWS\system32\compact.exe
2006-12-09 12:28 15872 --a------ C:\WINDOWS\system32\comp.exe
2006-12-09 12:28 145920 --a------ C:\WINDOWS\system32\diskpart.exe
2006-12-09 12:28 13824 --a------ C:\WINDOWS\system32\convert.exe
2006-12-09 12:28 11776 --a------ C:\WINDOWS\system32\chkdsk.exe
2006-12-09 12:28 114688 --a------ C:\WINDOWS\system32\calc.exe
2006-12-09 12:28 11264 --a------ C:\WINDOWS\system32\chkntfs.exe
2006-12-09 12:28 102400 --a------ C:\WINDOWS\system32\cscript.exe
2006-12-09 12:27 91648 --a------ C:\WINDOWS\system32\ahui.exe
2006-12-09 12:27 41984 --a------ C:\WINDOWS\system32\alg.exe
2006-12-09 12:27 4096 --a------ C:\WINDOWS\system32\actmovie.exe
2006-12-09 12:27 22528 --a------ C:\WINDOWS\system32\at.exe
2006-12-09 12:27 19456 --a------ C:\WINDOWS\system32\arp.exe
2006-12-09 12:27 179200 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-09 12:27 11264 --a------ C:\WINDOWS\system32\attrib.exe
2006-12-09 12:27 10240 --a------ C:\WINDOWS\system32\atmadm.exe
2006-12-09 12:26 134144 --a------ C:\WINDOWS\regedit.exe
2006-12-09 12:24 10752 --a------ C:\WINDOWS\hh.exe
2006-12-09 12:23 98304 --a------ C:\WINDOWS\dla.exe
2006-12-09 12:22 700416 --a------ C:\StubInstaller.exe
2006-12-09 12:15 66048 --a------ C:\WINDOWS\notepad.exe
2006-12-09 11:31 0 --a------ C:\WINDOWS\system32\ftpupd.exe
2006-12-06 19:01 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-01 19:16 -------- d-------- C:\Program Files\SpyBot
2006-11-30 19:47 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-30 18:42 -------- d-------- C:\Program Files\EA SPORTS
2006-11-30 07:50 504320 --a------ C:\WINDOWS\system32\logonui(2).exe
2006-11-25 14:18 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-11-15 22:04 -------- d-------- C:\Program Files\Common Files\Logitech
2006-11-15 22:03 -------- d-------- C:\Program Files\Logitech
2006-11-15 22:02 -------- d-------- C:\Program Files\Windows Media Components
2006-11-15 22:02 -------- d-------- C:\Program Files\Real
2006-11-04 18:25 -------- d-------- C:\Program Files\Windows Media Player
2006-11-03 18:26 -------- d-------- C:\Program Files\Outlook Express
2006-11-03 18:26 -------- d-------- C:\Program Files\Common Files\System
2006-11-03 18:25 -------- d-------- C:\Program Files\NetMeeting
2006-11-02 20:13 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-02 20:12 -------- d-------- C:\Program Files\Symantec
2006-11-02 18:55 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-02 11:56 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-02 11:55 -------- d-------- C:\Program Files\MSN Messenger
2006-11-01 23:15 -------- d-------- C:\Documents and Settings\Owner\Application Data\GTek
2006-11-01 23:02 -------- d-------- C:\Program Files\AIM
2006-11-01 20:58 -------- d-------- C:\Documents and Settings\Owner\Application Data\vlc
2006-11-01 20:26 -------- d-------- C:\Program Files\TVUPlayer
2006-11-01 20:25 -------- d-------- C:\Program Files\TVU
2006-11-01 20:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-11-01 20:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\HP
2006-11-01 20:01 -------- d-------- C:\Documents and Settings\Owner\Application Data\acccore
2006-11-01 20:00 -------- d-------- C:\Program Files\Java
2006-11-01 20:00 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-11-01 20:00 -------- d-------- C:\Program Files\Common Files\aolshare
2006-11-01 20:00 -------- d-------- C:\Program Files\AOL
2006-11-01 20:00 -------- d-------- C:\Program Files\AOD
2006-11-01 19:57 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-01 19:52 -------- d-------- C:\Program Files\SymNetDrv
2006-11-01 19:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-11-01 19:48 -------- d-------- C:\Program Files\TrendMicro
2006-11-01 19:41 -------- d-------- C:\Program Files\Common Files\Java
2006-11-01 19:22 -------- d-------- C:\Program Files\Hewlett-Packard
2006-11-01 18:35 -------- d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-11-01 18:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-01 18:28 -------- d-------- C:\Program Files\Microsoft Office
2006-11-01 18:28 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-01 18:28 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-11-01 18:26 -------- d-------- C:\Program Files\Common Files\Sonic
2006-11-01 18:25 -------- d-------- C:\Program Files\Sonic
2006-11-01 18:25 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-11-01 18:25 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-11-01 18:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\Roxio
2006-11-01 18:21 -------- d-------- C:\Program Files\directx
2006-11-01 18:18 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-01 18:06 -------- d-------- C:\Program Files\HP
2006-11-01 18:06 -------- d-------- C:\Program Files\Common Files\HP
2006-11-01 17:53 -------- d--h----- C:\Program Files\Uninstall Information
2006-11-01 17:53 -------- d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-11-01 17:51 -------- d-------- C:\Program Files\xerox
2006-11-01 17:51 -------- d-------- C:\Program Files\microsoft frontpage
2006-11-01 17:47 0 -rahs---- C:\MSDOS.SYS
2006-11-01 17:47 0 -rahs---- C:\IO.SYS
2006-11-01 17:47 0 --a------ C:\CONFIG.SYS
2006-11-01 17:47 0 --a------ C:\AUTOEXEC.BAT
2006-11-01 17:46 -------- d-------- C:\Program Files\Online Services
2006-11-01 17:46 -------- d-------- C:\Program Files\Internet Explorer
2006-11-01 17:45 -------- d-------- C:\Program Files\Movie Maker
2006-11-01 17:45 -------- d-------- C:\Program Files\Common Files\Services
2006-11-01 17:45 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-11-01 17:44 -------- d-------- C:\Program Files\Windows NT
2006-11-01 17:44 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-01 17:44 -------- d-------- C:\Program Files\MSN
2006-11-01 17:44 -------- d-------- C:\Program Files\Messenger
2006-11-01 17:44 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-01 11:39 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-11-01 11:39 -------- d-------- C:\Program Files\Common Files\ODBC
2006-11-01 11:38 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FrameWork"
"hkey"="HKLM"
"command"="FrameWork.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1162432813\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RelevantKnowledge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rlvknlg"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\rlvknlg.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-17 14:51:03.50
C:\ComboFix.txt ... 06-12-17 14:51

~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:01:41 PM, on 12/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?b438b86f4ad44a4383dd3cb94cfa5756
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?b438b86f4ad44a4383dd3cb94cfa5756
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444138843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444124859
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:07 AM

Posted 17 December 2006 - 04:23 PM

Hello there,

The Hijackthis log is looking much better, but the Combofix log shows a lot of leftovers.
Hopefully the PC is running better, but we still have a few things to do. :thumbsup:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RelevantKnowledge]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\Documents and Settings\Owner\W6I58BI.exe
C:\Documents and Settings\Owner\d03J0VW.exe
C:\Documents and Settings\Owner\gi7SGHt.exe
C:\Documents and Settings\Owner\dmuHKMH.exe
C:\Documents and Settings\Owner\uN3w0he.exe
C:\Program Files\Ultimate Cleaner
C:\oaciow.exe
C:\ragjo.exe
C:\Documents and Settings\Owner\t0UPWK8.exe
C:\Documents and Settings\Owner\Jc2ML2O.exe
C:\Documents and Settings\Owner\P35.exe
C:\Documents and Settings\Owner\fp8ghxX.exe
C:\WINDOWS\system32\z2731.exe
C:\WINDOWS\system32\Fw7Q1hl.exe
C:\WINDOWS\system32\z2834.exe
C:\WINDOWS\system32\IlO0j7w.exe
C:\WINDOWS\system32\z2385.exe
C:\WINDOWS\system32\z2670.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\lzx32.sys
C:\Documents and Settings\Owner\wpcem.exe
C:\WINDOWS\system32\qfyqakn.dll
C:\WINDOWS\system32\z2724.exe
C:\WINDOWS\system32\google.png.exe
C:\WINDOWS\system32\z2883.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\system32\xgiz.bat
C:\WINDOWS\system32\comj.bat
C:\WINDOWS\system32\emvkkbp.bat
C:\vubes.exe
C:\Documents and Settings\All Users\Application Data\PopCap
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\jkkjh.dll
C:\windows\system32\rlvknlg.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.
Also post a new Hijackthis log.

#8 JagerBob13

JagerBob13
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 17 December 2006 - 05:03 PM

I have followed the steps leading up to and have submitted the files you requested.

#9 JagerBob13

JagerBob13
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 17 December 2006 - 05:37 PM

ok, so I have done all that you have asked, question first, while doing those steps, my Norton continued to pop up sayin git was finding virus's and either fixing them or ignoring them, is this ok, or did Norton skew anything Adaware and Killbox were doing?

here are the 2 logs you wanted.

~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:30:02 PM, on 12/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?b438b86f4ad44a4383dd3cb94cfa5756
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?b438b86f4ad44a4383dd3cb94cfa5756
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444138843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444124859
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
AOL Uninstaller (Choose which Products to Remove)
AVG Anti-Spyware 7.5
Azureus
Dell ResourceCD
Hijackthis 1.99.1
HijackThis 1.99.1
HP Deskjet 3900 series
HP Extended Capabilities 5.0
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
Intel® PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft Office Basic Edition 2003
Norton AntiVirus 2003
NVIDIA Windows 2000/XP Display Drivers
Rhapsody Player Engine
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
Tabbed Browsing (Windows Live Toolbar)
TVUPlayer 2.2.0
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar MSN Extension (Windows Live Toolbar)
ZoneAlarm

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:07 AM

Posted 18 December 2006 - 04:42 AM

Hey there, before we continue, can you remember what the Norton alert was saying exactly?
It could have been flagging a leftover that we haven't got round to deleting yet.
I'd like to see a new Combofix log first to make sure the Killbox steps worked.

#11 JagerBob13

JagerBob13
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 18 December 2006 - 06:09 PM

Hello sorry about the wait for the reply, Norton was referring to "bloodhound.packed.8" it found 132 infected files and quarantined 115 of them...something along those lines.


anyway here is the ComboFix Log~~~~~~~~~~~~~~~~~~

Owner - 06-12-18 17:00:41.89 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Owner\Desktop\smit fraud stuff"

((((((((((((((((((((((((((((((( Files Created from 2006-11-17 to 2006-12-17 ))))))))))))))))))))))))))))))))))


2006-12-17 16:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-17 16:08 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-17 14:32 <DIR> d-------- C:\!KillBox
2006-12-17 14:32 <DIR> d-------- C:\!KillBox
2006-12-17 14:32 <DIR> d-------- C:\!KillBox


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-18 11:28 -------- d-------- C:\Program Files\Common Files
2006-12-18 00:20 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-15 21:16 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sonic
2006-12-13 21:35 -------- d-------- C:\Program Files\Windows Live Toolbar
2006-12-10 00:42 -------- d-------- C:\Program Files\Common Files\AOL
2006-12-10 00:16 -------- d-------- C:\Program Files\Trend Micro
2006-12-09 14:43 66048 --a------ C:\WINDOWS\system32\notepad.exe
2006-12-09 14:43 34304 --a------ C:\WINDOWS\system32\rcimlby.exe
2006-12-09 12:35 98304 --a------ C:\WINDOWS\system32\verifier.exe
2006-12-09 12:35 8192 --a------ C:\WINDOWS\system32\winhlp32.exe
2006-12-09 12:35 77824 --a------ C:\WINDOWS\system32\wmpstub.exe
2006-12-09 12:35 77824 --a------ C:\WINDOWS\system32\usrmlnka.exe
2006-12-09 12:35 69632 --a------ C:\WINDOWS\system32\usrshuta.exe
2006-12-09 12:35 61440 --a------ C:\WINDOWS\system32\usrprbda.exe
2006-12-09 12:35 60416 --a------ C:\WINDOWS\system32\wextract.exe
2006-12-09 12:35 5632 --a------ C:\WINDOWS\system32\write.exe
2006-12-09 12:35 49664 --a------ C:\WINDOWS\system32\w32tm.exe
2006-12-09 12:35 47616 --a------ C:\WINDOWS\system32\utilman.exe
2006-12-09 12:35 414720 --a------ C:\WINDOWS\system32\wiaacmgr.exe
2006-12-09 12:35 40960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-12-09 12:35 4096 --a------ C:\WINDOWS\system32\winver.exe
2006-12-09 12:35 4096 --a------ C:\WINDOWS\system32\unlodctr.exe
2006-12-09 12:35 346624 --a------ C:\WINDOWS\system32\tourstart.exe
2006-12-09 12:35 33792 --a------ C:\WINDOWS\system32\vssadmin.exe
2006-12-09 12:35 32256 --a------ C:\WINDOWS\system32\wupdmgr.exe
2006-12-09 12:35 31744 --a------ C:\WINDOWS\system32\tracert6.exe
2006-12-09 12:35 31232 --a------ C:\WINDOWS\system32\wpabaln.exe
2006-12-09 12:35 29184 --a------ C:\WINDOWS\system32\wpnpinst.exe
2006-12-09 12:35 28160 --a------ C:\WINDOWS\system32\xcopy.exe
2006-12-09 12:35 275456 --a------ C:\WINDOWS\system32\vssvc.exe
2006-12-09 12:35 266752 --a------ C:\WINDOWS\winhlp32.exe
2006-12-09 12:35 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-12-09 12:35 25600 --a------ C:\WINDOWS\twunk_32.exe
2006-12-09 12:35 25600 --a------ C:\WINDOWS\system32\verclsid.exe
2006-12-09 12:35 22016 --a------ C:\WINDOWS\system32\userinit.exe
2006-12-09 12:35 16896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-12-09 12:35 16896 --a------ C:\WINDOWS\system32\tftp.exe
2006-12-09 12:35 16384 --a------ C:\WINDOWS\system32\ups.exe
2006-12-09 12:35 16384 --a------ C:\WINDOWS\system32\tskill.exe
2006-12-09 12:35 15360 --a------ C:\WINDOWS\taskman.exe
2006-12-09 12:35 14848 --a------ C:\WINDOWS\system32\upnpcont.exe
2006-12-09 12:35 14848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-12-09 12:35 14848 --a------ C:\WINDOWS\system32\tscon.exe
2006-12-09 12:35 119808 --a------ C:\WINDOWS\system32\winmine.exe
2006-12-09 12:35 118784 --a------ C:\WINDOWS\system32\wscript.exe
2006-12-09 12:35 11776 --a------ C:\WINDOWS\system32\winmsd.exe
2006-12-09 12:35 10752 --a------ C:\WINDOWS\system32\tracert.exe
2006-12-09 12:34 9728 --a------ C:\WINDOWS\system32\sfc.exe
2006-12-09 12:34 9728 --a------ C:\WINDOWS\system32\reset.exe
2006-12-09 12:34 9728 --a------ C:\WINDOWS\system32\regsvr32.exe
2006-12-09 12:34 93184 --a------ C:\WINDOWS\system32\scardsvr.exe
2006-12-09 12:34 9216 --a------ C:\WINDOWS\system32\subst.exe
2006-12-09 12:34 9216 --a------ C:\WINDOWS\system32\print.exe
2006-12-09 12:34 82944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2006-12-09 12:34 8192 --a------ C:\WINDOWS\system32\scrnsave.scr
2006-12-09 12:34 74240 --a------ C:\WINDOWS\system32\rtcshare.exe
2006-12-09 12:34 7168 --a------ C:\WINDOWS\system32\recover.exe
2006-12-09 12:34 71168 --a------ C:\WINDOWS\system32\telnet.exe
2006-12-09 12:34 71168 --a------ C:\WINDOWS\system32\sdbinst.exe
2006-12-09 12:34 69632 --a------ C:\WINDOWS\system32\shrpubw.exe
2006-12-09 12:34 667648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2006-12-09 12:34 66048 --a------ C:\WINDOWS\system32\sigverif.exe
2006-12-09 12:34 638976 --a------ C:\WINDOWS\system32\sstext3d.scr
2006-12-09 12:34 61952 --a------ C:\WINDOWS\system32\rdshost.exe
2006-12-09 12:34 569344 --a------ C:\WINDOWS\system32\sspipes.scr
2006-12-09 12:34 56832 --a------ C:\WINDOWS\system32\sol.exe
2006-12-09 12:34 54272 --a------ C:\WINDOWS\system32\rasphone.exe
2006-12-09 12:34 534016 --a------ C:\WINDOWS\system32\spider.exe
2006-12-09 12:34 53248 --a------ C:\WINDOWS\system32\packager.exe
2006-12-09 12:34 51200 --a------ C:\WINDOWS\system32\syncapp.exe
2006-12-09 12:34 49152 --a------ C:\WINDOWS\system32\rsmui.exe
2006-12-09 12:34 49152 --a------ C:\WINDOWS\system32\rsm.exe
2006-12-09 12:34 48128 --a------ C:\WINDOWS\system32\reg.exe
2006-12-09 12:34 4608 --a------ C:\WINDOWS\system32\regwiz.exe
2006-12-09 12:34 45056 --a------ C:\WINDOWS\system32\proquota.exe
2006-12-09 12:34 44032 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-12-09 12:34 43008 --a------ C:\WINDOWS\system32\ssmypics.scr
2006-12-09 12:34 40448 --a------ C:\WINDOWS\system32\osuninst.exe
2006-12-09 12:34 36864 --a------ C:\WINDOWS\system32\syskey.exe
2006-12-09 12:34 364544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2006-12-09 12:34 3584 --a------ C:\WINDOWS\system32\regedt32.exe
2006-12-09 12:34 33792 --a------ C:\WINDOWS\system32\regini.exe
2006-12-09 12:34 33280 --a------ C:\WINDOWS\system32\shmgrate.exe
2006-12-09 12:34 33280 --a------ C:\WINDOWS\system32\ping6.exe
2006-12-09 12:34 31744 --a------ C:\WINDOWS\system32\rundll32.exe
2006-12-09 12:34 31232 --a------ C:\WINDOWS\system32\sc.exe
2006-12-09 12:34 3072 --a------ C:\WINDOWS\system32\systray.exe
2006-12-09 12:34 28672 --a------ C:\WINDOWS\system32\sethc.exe
2006-12-09 12:34 25600 --a------ C:\WINDOWS\system32\routemon.exe
2006-12-09 12:34 24576 --a------ C:\WINDOWS\system32\rsmsink.exe
2006-12-09 12:34 24064 --a------ C:\WINDOWS\system32\skeys.exe
2006-12-09 12:34 23552 --a------ C:\WINDOWS\system32\sort.exe
2006-12-09 12:34 22016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-12-09 12:34 21504 --a------ C:\WINDOWS\system32\pathping.exe
2006-12-09 12:34 212480 --a------ C:\WINDOWS\system32\osk.exe
2006-12-09 12:34 20992 --a------ C:\WINDOWS\system32\setup.exe
2006-12-09 12:34 205824 --a------ C:\WINDOWS\system32\progman.exe
2006-12-09 12:34 20480 --a------ C:\WINDOWS\system32\stimon.exe
2006-12-09 12:34 19968 --a------ C:\WINDOWS\system32\route.exe
2006-12-09 12:34 19968 --a------ C:\WINDOWS\system32\rcp.exe
2006-12-09 12:34 19456 --a------ C:\WINDOWS\system32\tcpsvcs.exe
2006-12-09 12:34 19456 --a------ C:\WINDOWS\system32\ssmarque.scr
2006-12-09 12:34 19456 --a------ C:\WINDOWS\system32\savedump.exe
2006-12-09 12:34 18944 --a------ C:\WINDOWS\system32\ssbezier.scr
2006-12-09 12:34 18432 --a------ C:\WINDOWS\system32\qprocess.exe
2006-12-09 12:34 17920 --a------ C:\WINDOWS\system32\shutdown.exe
2006-12-09 12:34 17408 --a------ C:\WINDOWS\system32\ssmyst.scr
2006-12-09 12:34 16896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-12-09 12:34 16384 --a------ C:\WINDOWS\system32\runas.exe
2006-12-09 12:34 16384 --a------ C:\WINDOWS\system32\ping.exe
2006-12-09 12:34 15872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-12-09 12:34 15360 --a------ C:\WINDOWS\system32\taskman.exe
2006-12-09 12:34 15360 --a------ C:\WINDOWS\system32\pentnt.exe
2006-12-09 12:34 14848 --a------ C:\WINDOWS\system32\shadow.exe
2006-12-09 12:34 14336 --a------ C:\WINDOWS\system32\perfmon.exe
2006-12-09 12:34 138752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-12-09 12:34 13312 --a------ C:\WINDOWS\system32\ssstars.scr
2006-12-09 12:34 13312 --a------ C:\WINDOWS\system32\rsh.exe
2006-12-09 12:34 132608 --a------ C:\WINDOWS\system32\rsvp.exe
2006-12-09 12:34 129024 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-12-09 12:34 128512 --a------ C:\WINDOWS\system32\taskmgr.exe
2006-12-09 12:34 12800 --a------ C:\WINDOWS\system32\runonce.exe
2006-12-09 12:34 12800 --a------ C:\WINDOWS\system32\replace.exe
2006-12-09 12:34 124416 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-12-09 12:34 12288 --a------ C:\WINDOWS\system32\tcmsetup.exe
2006-12-09 12:34 12288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-12-09 12:34 118784 --a------ C:\WINDOWS\system32\Prounstl.exe
2006-12-09 12:34 11776 --a------ C:\WINDOWS\system32\rexec.exe
2006-12-09 12:34 11776 --a------ C:\WINDOWS\system32\rasautou.exe
2006-12-09 12:34 11264 --a------ C:\WINDOWS\system32\rasdial.exe
2006-12-09 12:34 103936 --a------ C:\WINDOWS\system32\sysocmgr.exe
2006-12-09 12:33 99840 --a------ C:\WINDOWS\system32\iexpress.exe
2006-12-09 12:33 9728 --a------ C:\WINDOWS\system32\mstinit.exe
2006-12-09 12:33 9728 --a------ C:\WINDOWS\system32\label.exe
2006-12-09 12:33 82944 --a------ C:\WINDOWS\system32\netsh.exe
2006-12-09 12:33 8192 --a------ C:\WINDOWS\system32\mountvol.exe
2006-12-09 12:33 8192 --a------ C:\WINDOWS\system32\lpr.exe
2006-12-09 12:33 79360 --a------ C:\WINDOWS\system32\makecab.exe
2006-12-09 12:33 774144 --a------ C:\WINDOWS\system32\mmc.exe
2006-12-09 12:33 7680 --a------ C:\WINDOWS\system32\hostname.exe
2006-12-09 12:33 71680 --a------ C:\WINDOWS\system32\nslookup.exe
2006-12-09 12:33 68096 --a------ C:\WINDOWS\system32\locator.exe
2006-12-09 12:33 67584 --a------ C:\WINDOWS\system32\magnify.exe
2006-12-09 12:33 6656 --a------ C:\WINDOWS\system32\msswchx.exe
2006-12-09 12:33 64512 --a------ C:\WINDOWS\system32\msiexec.exe
2006-12-09 12:33 6144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-12-09 12:33 6144 --a------ C:\WINDOWS\system32\lpq.exe
2006-12-09 12:33 60928 --a------ C:\WINDOWS\system32\ipv6.exe
2006-12-09 12:33 53248 --a------ C:\WINDOWS\system32\odbcconf.exe
2006-12-09 12:33 51712 --a------ C:\WINDOWS\system32\migpwd.exe
2006-12-09 12:33 51712 --a------ C:\WINDOWS\system32\ipconfig.exe
2006-12-09 12:33 51200 --a------ C:\WINDOWS\system32\narrator.exe
2006-12-09 12:33 5120 --a------ C:\WINDOWS\system32\lodctr.exe
2006-12-09 12:33 504320 --a------ C:\WINDOWS\system32\logonui.exe
2006-12-09 12:33 44032 --a------ C:\WINDOWS\system32\ipsec6.exe
2006-12-09 12:33 4096 --a------ C:\WINDOWS\system32\nddeapir.exe
2006-12-09 12:33 395776 --a------ C:\WINDOWS\system32\ntvdm.exe
2006-12-09 12:33 39424 --a------ C:\WINDOWS\system32\net.exe
2006-12-09 12:33 388608 --a------ C:\WINDOWS\system32\mstsc.exe
2006-12-09 12:33 34816 --a------ C:\WINDOWS\system32\msiregmv.exe
2006-12-09 12:33 339968 --a------ C:\WINDOWS\system32\mspaint.exe
2006-12-09 12:33 32768 --a------ C:\WINDOWS\system32\odbcad32.exe
2006-12-09 12:33 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-12-09 12:33 326656 --a------ C:\WINDOWS\system32\netsetup.exe
2006-12-09 12:33 31744 --a------ C:\WINDOWS\system32\ntsd.exe
2006-12-09 12:33 30720 --a------ C:\WINDOWS\system32\netstat.exe
2006-12-09 12:33 29696 --a------ C:\WINDOWS\system32\lights.exe
2006-12-09 12:33 28672 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-12-09 12:33 25088 --a------ C:\WINDOWS\system32\lnkstub.exe
2006-12-09 12:33 24576 --a------ C:\WINDOWS\system32\logagent.exe
2006-12-09 12:33 24064 --a------ C:\WINDOWS\system32\mshta.exe
2006-12-09 12:33 22016 --a------ C:\WINDOWS\system32\mpnotify.exe
2006-12-09 12:33 22016 --a------ C:\WINDOWS\system32\ipxroute.exe
2006-12-09 12:33 219648 --a------ C:\WINDOWS\system32\logon.scr
2006-12-09 12:33 20992 --a------ C:\WINDOWS\system32\msg.exe
2006-12-09 12:33 20480 --a------ C:\WINDOWS\system32\nbtstat.exe
2006-12-09 12:33 15360 --a------ C:\WINDOWS\system32\logoff.exe
2006-12-09 12:33 135680 --a------ C:\WINDOWS\system32\mobsync.exe
2006-12-09 12:33 12800 --a------ C:\WINDOWS\system32\mrinfo.exe
2006-12-09 12:33 126976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-12-09 12:33 123904 --a------ C:\WINDOWS\system32\imapi.exe
2006-12-09 12:33 116736 --a------ C:\WINDOWS\system32\mplay32.exe
2006-12-09 12:33 115200 --a------ C:\WINDOWS\system32\net1.exe
2006-12-09 12:33 105984 --a------ C:\WINDOWS\system32\netdde.exe
2006-12-09 12:32 9216 --a------ C:\WINDOWS\system32\finger.exe
2006-12-09 12:32 9216 --a------ C:\WINDOWS\system32\find.exe
2006-12-09 12:32 9216 --a------ C:\WINDOWS\system32\dumprep.exe
2006-12-09 12:32 8704 --a------ C:\WINDOWS\system32\eventvwr.exe
2006-12-09 12:32 786432 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-12-09 12:32 7168 --a------ C:\WINDOWS\system32\forcedos.exe
2006-12-09 12:32 58368 --a------ C:\WINDOWS\system32\dpvsetup.exe
2006-12-09 12:32 56320 --a------ C:\WINDOWS\system32\fsutil.exe
2006-12-09 12:32 55296 --a------ C:\WINDOWS\system32\freecell.exe
2006-12-09 12:32 55296 --a------ C:\WINDOWS\system32\dvdplay.exe
2006-12-09 12:32 4608 --a------ C:\WINDOWS\system32\dllhst3g.exe
2006-12-09 12:32 45568 --a------ C:\WINDOWS\system32\drwtsn32.exe
2006-12-09 12:32 40960 --a------ C:\WINDOWS\system32\extrac32.exe
2006-12-09 12:32 40448 --a------ C:\WINDOWS\system32\ftp.exe
2006-12-09 12:32 39424 --a------ C:\WINDOWS\system32\esentutl.exe
2006-12-09 12:32 37888 --a------ C:\WINDOWS\system32\grpconv.exe
2006-12-09 12:32 3072 --a------ C:\WINDOWS\system32\fixmapi.exe
2006-12-09 12:32 26112 --a------ C:\WINDOWS\system32\dplaysvr.exe
2006-12-09 12:32 204800 --a------ C:\WINDOWS\system32\dmadmin.exe
2006-12-09 12:32 19456 --a------ C:\WINDOWS\system32\fontview.exe
2006-12-09 12:32 18944 --a------ C:\WINDOWS\system32\dpnsvr.exe
2006-12-09 12:32 180224 --a------ C:\WINDOWS\system32\dwwin.exe
2006-12-09 12:32 178688 --a------ C:\WINDOWS\system32\eudcedit.exe
2006-12-09 12:32 15872 --a------ C:\WINDOWS\system32\expand.exe
2006-12-09 12:32 15872 --a------ C:\WINDOWS\system32\dvdupgrd.exe
2006-12-09 12:32 14848 --a------ C:\WINDOWS\system32\help.exe
2006-12-09 12:32 14848 --a------ C:\WINDOWS\system32\fc.exe
2006-12-09 12:32 14336 --a------ C:\WINDOWS\system32\dmremote.exe
2006-12-09 12:32 10752 --a------ C:\WINDOWS\system32\doskey.exe
2006-12-09 12:28 98816 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-12-09 12:28 8192 --a------ C:\WINDOWS\system32\control.exe
2006-12-09 12:28 8192 --a------ C:\WINDOWS\system32\cidaemon.exe
2006-12-09 12:28 80384 --a------ C:\WINDOWS\system32\charmap.exe
2006-12-09 12:28 79360 --a------ C:\WINDOWS\system32\diantz.exe
2006-12-09 12:28 7680 --a------ C:\WINDOWS\system32\ckcnv.exe
2006-12-09 12:28 76288 --a------ C:\WINDOWS\system32\dfrgfat.exe
2006-12-09 12:28 70656 --a------ C:\WINDOWS\system32\defrag.exe
2006-12-09 12:28 61440 --a------ C:\WINDOWS\system32\cleanmgr.exe
2006-12-09 12:28 54784 --a------ C:\WINDOWS\system32\cmstp.exe
2006-12-09 12:28 5120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-12-09 12:28 5120 --a------ C:\WINDOWS\system32\cisvc.exe
2006-12-09 12:28 5120 --a------ C:\WINDOWS\system32\bootvrfy.exe
2006-12-09 12:28 4608 --a------ C:\WINDOWS\system32\bootok.exe
2006-12-09 12:28 45056 --a------ C:\WINDOWS\system32\cliconfg.exe
2006-12-09 12:28 41472 --a------ C:\WINDOWS\system32\cmdl32.exe
2006-12-09 12:28 375808 --a------ C:\WINDOWS\system32\cmd.exe
2006-12-09 12:28 35840 --a------ C:\WINDOWS\system32\cmmon32.exe
2006-12-09 12:28 30720 --a------ C:\WINDOWS\system32\clipsrv.exe
2006-12-09 12:28 27136 --a------ C:\WINDOWS\system32\ddeshare.exe
2006-12-09 12:28 24576 --a------ C:\WINDOWS\system32\conime.exe
2006-12-09 12:28 18432 --a------ C:\WINDOWS\system32\cacls.exe
2006-12-09 12:28 17920 --a------ C:\WINDOWS\system32\diskperf.exe
2006-12-09 12:28 17408 --a------ C:\WINDOWS\system32\compact.exe
2006-12-09 12:28 15872 --a------ C:\WINDOWS\system32\comp.exe
2006-12-09 12:28 145920 --a------ C:\WINDOWS\system32\diskpart.exe
2006-12-09 12:28 13824 --a------ C:\WINDOWS\system32\convert.exe
2006-12-09 12:28 11776 --a------ C:\WINDOWS\system32\chkdsk.exe
2006-12-09 12:28 114688 --a------ C:\WINDOWS\system32\calc.exe
2006-12-09 12:28 11264 --a------ C:\WINDOWS\system32\chkntfs.exe
2006-12-09 12:28 102400 --a------ C:\WINDOWS\system32\cscript.exe
2006-12-09 12:27 91648 --a------ C:\WINDOWS\system32\ahui.exe
2006-12-09 12:27 41984 --a------ C:\WINDOWS\system32\alg.exe
2006-12-09 12:27 4096 --a------ C:\WINDOWS\system32\actmovie.exe
2006-12-09 12:27 22528 --a------ C:\WINDOWS\system32\at.exe
2006-12-09 12:27 19456 --a------ C:\WINDOWS\system32\arp.exe
2006-12-09 12:27 179200 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-09 12:27 11264 --a------ C:\WINDOWS\system32\attrib.exe
2006-12-09 12:27 10240 --a------ C:\WINDOWS\system32\atmadm.exe
2006-12-09 12:26 134144 --a------ C:\WINDOWS\regedit.exe
2006-12-09 12:24 10752 --a------ C:\WINDOWS\hh.exe
2006-12-09 12:23 98304 --a------ C:\WINDOWS\dla.exe
2006-12-09 12:22 700416 --a------ C:\StubInstaller.exe
2006-12-09 12:15 66048 --a------ C:\WINDOWS\notepad.exe
2006-12-09 11:31 0 --a------ C:\WINDOWS\system32\ftpupd.exe
2006-12-06 19:01 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-01 19:16 -------- d-------- C:\Program Files\SpyBot
2006-11-30 19:47 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-30 18:42 -------- d-------- C:\Program Files\EA SPORTS
2006-11-30 07:50 504320 --a------ C:\WINDOWS\system32\logonui(2).exe
2006-11-25 14:18 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-11-15 22:04 -------- d-------- C:\Program Files\Common Files\Logitech
2006-11-15 22:03 -------- d-------- C:\Program Files\Logitech
2006-11-15 22:02 -------- d-------- C:\Program Files\Windows Media Components
2006-11-15 22:02 -------- d-------- C:\Program Files\Real
2006-11-04 18:25 -------- d-------- C:\Program Files\Windows Media Player
2006-11-03 18:26 -------- d-------- C:\Program Files\Outlook Express
2006-11-03 18:26 -------- d-------- C:\Program Files\Common Files\System
2006-11-03 18:25 -------- d-------- C:\Program Files\NetMeeting
2006-11-02 20:13 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-02 20:12 -------- d-------- C:\Program Files\Symantec
2006-11-02 18:55 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-02 11:56 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-02 11:55 -------- d-------- C:\Program Files\MSN Messenger
2006-11-01 23:15 -------- d-------- C:\Documents and Settings\Owner\Application Data\GTek
2006-11-01 23:02 -------- d-------- C:\Program Files\AIM
2006-11-01 20:58 -------- d-------- C:\Documents and Settings\Owner\Application Data\vlc
2006-11-01 20:26 -------- d-------- C:\Program Files\TVUPlayer
2006-11-01 20:25 -------- d-------- C:\Program Files\TVU
2006-11-01 20:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-11-01 20:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\HP
2006-11-01 20:01 -------- d-------- C:\Documents and Settings\Owner\Application Data\acccore
2006-11-01 20:00 -------- d-------- C:\Program Files\Java
2006-11-01 20:00 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-11-01 20:00 -------- d-------- C:\Program Files\Common Files\aolshare
2006-11-01 20:00 -------- d-------- C:\Program Files\AOL
2006-11-01 20:00 -------- d-------- C:\Program Files\AOD
2006-11-01 19:57 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-01 19:52 -------- d-------- C:\Program Files\SymNetDrv
2006-11-01 19:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-11-01 19:48 -------- d-------- C:\Program Files\TrendMicro
2006-11-01 19:41 -------- d-------- C:\Program Files\Common Files\Java
2006-11-01 19:22 -------- d-------- C:\Program Files\Hewlett-Packard
2006-11-01 18:35 -------- d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-11-01 18:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-01 18:28 -------- d-------- C:\Program Files\Microsoft Office
2006-11-01 18:28 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-01 18:28 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-11-01 18:26 -------- d-------- C:\Program Files\Common Files\Sonic
2006-11-01 18:25 -------- d-------- C:\Program Files\Sonic
2006-11-01 18:25 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-11-01 18:25 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-11-01 18:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\Roxio
2006-11-01 18:21 -------- d-------- C:\Program Files\directx
2006-11-01 18:18 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-01 18:06 -------- d-------- C:\Program Files\HP
2006-11-01 18:06 -------- d-------- C:\Program Files\Common Files\HP
2006-11-01 17:53 -------- d--h----- C:\Program Files\Uninstall Information
2006-11-01 17:53 -------- d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-11-01 17:51 -------- d-------- C:\Program Files\xerox
2006-11-01 17:51 -------- d-------- C:\Program Files\microsoft frontpage
2006-11-01 17:47 0 -rahs---- C:\MSDOS.SYS
2006-11-01 17:47 0 -rahs---- C:\IO.SYS
2006-11-01 17:47 0 --a------ C:\CONFIG.SYS
2006-11-01 17:47 0 --a------ C:\AUTOEXEC.BAT
2006-11-01 17:46 -------- d-------- C:\Program Files\Online Services
2006-11-01 17:46 -------- d-------- C:\Program Files\Internet Explorer
2006-11-01 17:45 -------- d-------- C:\Program Files\Movie Maker
2006-11-01 17:45 -------- d-------- C:\Program Files\Common Files\Services
2006-11-01 17:45 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-11-01 17:44 -------- d-------- C:\Program Files\Windows NT
2006-11-01 17:44 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-01 17:44 -------- d-------- C:\Program Files\MSN
2006-11-01 17:44 -------- d-------- C:\Program Files\Messenger
2006-11-01 17:44 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-01 11:39 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-11-01 11:39 -------- d-------- C:\Program Files\Common Files\ODBC
2006-11-01 11:38 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1162432813\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-18 17:02:11.93
C:\ComboFix.txt ... 06-12-18 17:02
C:\ComboFix2.txt ... 06-12-17 14:57
C:\ComboFix3.txt ... 06-12-17 14:51

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:07 AM

Posted 19 December 2006 - 06:05 AM

Ok, you've got quite a nasty infection that is targeting the .exe (excecutable) files on your PC.
You've most likely got a lot of leftovers on the PC, but first aim is to disinfected those .exe's.
I want to run two scanners, and I want you to post the logs back to me.
It may be the logs are two long, if that's the case submit there here:
http://www.bleepingcomputer.com/submit-malware.php?channel=5

Right Click the Desktop and Select New--> Folder--> Name it SysClean
Download the Sysclean Package to the folder you made.

Next,download the Virus Pattern Files (Official Pattern Release) and Spyware Pattern Files (Official Pattern Release) to your desktop from Here
Right Click each and Select Extract All to unzip the 2 folders.
Now,from the unzipped folders,move lpt$vpn.XXX and tmaptn.XXX files to the SysClean folder.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Open the SysClean Folder and doubleclick sysclean.com
Be sure Automatically clean or delete detected files is checked.
Click the Scan button to begin,please be patient,it will take a little bit to finish.

Once complete,verify the log from the scan (sysclean.log) is in the SysClean folder and restart back to Normal Mode.

Please download Dr Web-Cureit!
Save the folder to your desktop.
Don't run it yet.

Now go back into safe mode.

Run Dr Web-Cureit!
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.

A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.
Reboot your computer back to normal mode.

Post those two logs back here along with a new Hijackthis log.
Hopefully we can save this PC..

Edited by D-Trojanator, 19 December 2006 - 06:05 AM.


#13 JagerBob13

JagerBob13
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 21 December 2006 - 12:19 AM

Hello, I tried to reboot back into normal mode but I cannot use the internet in that mode, only in safe mode right now :thumbsup:

I posted the csv file in the link you provided, here are the others

~~~~~~~~~~~~~



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 13:08:03, Auto-clean mode specified.
2006-12-20, 13:08:03, Running scanner "C:\Documents and Settings\Owner\Desktop\sysclean\TSC.BIN"...
2006-12-20, 13:08:09, Scanner "C:\Documents and Settings\Owner\Desktop\sysclean\TSC.BIN" has finished running.
2006-12-20, 13:08:09, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 1)

Start time : Wed Dec 20 2006 13:08:03

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Owner\Desktop\sysclean\tsc.ptn" (version 818) [success]

Complete time : Wed Dec 20 2006 13:08:09
Execute pattern count(3024), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 13:09:08, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 13:27:03, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 13:09:29
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (145636 Patterns) (2006/12/19) (412500)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

C:\!KillBox\install.exe [BKDR_RUSTOCK.AV]
C:\!KillBox\oaciow.exe [TROJ_AGENT.IFN]
C:\!KillBox\z2883.exe [TROJ_DLOADER.GXP]
33649 files have been read.
33649 files have been checked.
30999 files have been scanned.
74796 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 13:27:03
---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 13:27:03, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 13:09:29
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (145636 Patterns) (2006/12/19) (412500)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

Success Clean [ BKDR_RUSTOCK.AV]( 1) from C:\!KillBox\install.exe
Success Clean [ TROJ_AGENT.IFN]( 1) from C:\!KillBox\oaciow.exe
Success Clean [TROJ_DLOADER.GXP]( 1) from C:\!KillBox\z2883.exe
33649 files have been read.
33649 files have been checked.
30999 files have been scanned.
74796 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 13:27:03 17 minutes 34 seconds (1053.89 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 13:27:03, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 13:09:29
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (145636 Patterns) (2006/12/19) (412500)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

33649 files have been read.
33649 files have been checked.
30999 files have been scanned.
74796 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 13:27:03 17 minutes 34 seconds (1053.89 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 13:27:03, Scanner "C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN" has finished running.

~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:15:06 PM, on 12/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?b438b86f4ad44a4383dd3cb94cfa5756
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?b438b86f4ad44a4383dd3cb94cfa5756
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444138843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162444124859
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:07 AM

Posted 21 December 2006 - 11:50 AM

Ok, as you might have already noticed, this infection is starting to take over your PC.
I need to know whether you have your XP installation CD, we need to repair the system.
Please let me know as soon as possible.

#15 JagerBob13

JagerBob13
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 22 December 2006 - 12:14 AM

Ok, as you might have already noticed, this infection is starting to take over your PC.
I need to know whether you have your XP installation CD, we need to repair the system.
Please let me know as soon as possible.


Sorry for the late reply again, I have the install CD which came with my Dell




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users