Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-spyware & Anti-virus Disabled, Keylogger, Hijack, Worms


  • This topic is locked This topic is locked
54 replies to this topic

#1 marlajm

marlajm

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 18 March 2007 - 07:48 PM

I have just finished with my original support and probably have to reformat. However, I would like to find out what is going on or at least in some contribute to helping someone in the future so I have come here.

Despite good computer hygiene, Adaware, Spybot, McAfee-now Kasperskey, CCleaner, HijackThis, updating (wondering if this might have brought in some problems), and Zone Alarm firewall, I have problems which I first noticed when I was hijacked from Paypal. This showed on my first HJT scan but disappeared without treatment shortly thereafter.

My antivirus, etc., have been disabled although they LOOK as if they are working but don't so much as find a cookie anymore--except for CCleaner. Spybot doesn't find About:Blank but it showed up on the browser scan. I tried to delete it and it doesn't show on any scans but I still see it fly by the bottom of my screen as IE pages are loaded. When I go to my history or temporary files, when I can see them, they are mostly ad pages. I have tried all the usual CWShredder, etc., and they don't find anything.

MWAV is the only scan that has shown much. When I submit some suspicious files from comboscan to either VirusScan or Jotti, more often than not they jam VirusScan and I get error messages from Jotti that it is either the wrong stream or the file is empty. Sometime the folders are empty. I have tried to rename them but many times I am not allowed. Sometimes when I explore I can see the folders have information but when I go to submit them I get the message they are empty. Recently, after submitting a file to Jotti I got a page that said, "Prepare to Die!." It also had a photo of a man dressed like a woman leaning over a desk with a big shot facing a another man in a suit.

When I try to repair or update some of my anti-spyware I often get a navigational error page.

Also, I have noticed than many of my files dates are saying that they are created and modified on June 6, 2005. This includes some files I know I had recently accessed, installed, or tried to delete.

I am not hopeful but I want to find out what is doing this. I know I need to reinstall but I want a good detective to have at it first. I ran a newer Hijack This but will include a comboscan with an older version because HijackThis reccomended that I try an older version. I was careful while doing the comboscan not to let it access any HijackThis that I already had and not to access the internet for one. The scan was quite different.

I recently also tried IceSword and found many more entries in the startup than have been revealed before. It also found items in the drivers and registry but I wasn't sure how to proceed. I can't save a log from it but things looked quite different.

Thanks for the help. I don't want to reformat and then find that is thing is in my memory, my peripherals, and my saved files on CD and reinfect myself again. So I do need some urgent help.

Many thanks & Happy Hunting!!!!

Logfile of HijackThis v1.99.1
Scan saved at 7:26:14 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\devldr32.exe
c:\program files\common files\aol\1127327071\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127327071\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118153487515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122422829054
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Here is the comboscan. Please let me know if it proved helpful or not.

ComboScan v20070306.20 run by Marla on 2007-03-18 at 18:59:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-03-18 18:59:55
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.0.5730.11)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
C:\Program Files\Common Files\AOL\1127327071\ee\aolsoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\AOL\1127327071\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1127327071\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Marla\Desktop\comboscan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...mp;plcid=0x0409
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - CmdMapping - (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} () - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} () - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/6/7.../OGAControl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} () - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} () - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...or/sw_promo.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/0/5...heckControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} () - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} () - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118153487515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122422829054
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} () - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} () - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} () - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} () - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} () - http://download.microsoft.com/download/7/E...04/clearadj.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll
O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Application Layer Gateway Service (ALG) - C:\WINDOWS\system32\alg.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: ASP.NET State Service (aspnet_state) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Active Virus Shield (AVP) - "C:\Program Files\AOL\Active Virus Shield\avp.exe" -r
O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Indexing Service (cisvc) - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - C:\WINDOWS\system32\svchost -k DcomLaunch
O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Dell Printer Status Watcher (DLPWD) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
O23 - Service: Dell Printer Status Database (DLSDB) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService
O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: HTTP SSL (HTTPFilter) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
O23 - Service: InstallDriver Table Manager (IDriverT) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\system32\msiexec.exe /V
O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss
O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{3F559694-250B-447D-9D7E-E6E5FB5BC220}
O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost -k DComLaunch
O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe
O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - "C:\WINDOWS\wanmpsvc.exe"
O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Security Center (wscsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Network Provisioning Service (xmlprov) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- Files created between 2007-02-18 and 2007-03-18 -----------------------------

2007-03-17 23:56:50 0 d-------- C:\IceSword120_en<ICESWO~1>
2007-03-17 22:45:53 306720 --a------ C:\DNLDSSC.exe
2007-03-17 22:24:28 377856 --a------ C:\ariesremoverinst.exe<ARIESR~1.EXE>
2007-03-17 01:10:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-03-17 01:04:49 21822168 --a------ C:\AdbeRdr80_en_US.exe<ADBERD~1.EXE>
2007-03-16 23:17:50 0 d-------- C:\WINDOWS\SxsCaPendDel<SXSCAP~1>
2007-03-16 22:56:38 0 d-------- C:\Scanner1982<SCANNE~1>
2007-03-16 03:46:44 2685104 --a------ C:\ccsetup138.exe<CCSETU~1.EXE>
2007-03-15 20:03:05 0 d-------- C:\Documents and Settings\Marla\.housecall6.6<HOUSEC~1.6>
2007-03-15 17:41:41 0 d-------- C:\Trendscan<TRENDS~1>
2007-03-15 16:41:16 1144839 --a------ C:\stng260.exe
2007-03-15 14:25:22 0 d-------- C:\tsc
2007-03-13 17:44:46 0 d-a------ C:\WINDOWS\zts2.exe
2007-03-13 17:44:46 0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-03-13 17:44:46 0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-03-13 17:44:46 0 d-a------ C:\WINDOWS\rundll16.exe
2007-03-13 17:44:46 0 d-a------ C:\WINDOWS\rundl132.dll
2007-03-13 17:44:46 0 d-a------ C:\WINDOWS\logo1_.exe
2007-03-13 17:19:29 135680 --a------ C:\WINDOWS\system32\TASKMGR.COM
2007-03-13 17:19:29 146432 --a------ C:\WINDOWS\REGEDIT.COM
2007-03-12 20:02:44 531744 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-03-12 20:02:44 4741664 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-03-12 19:30:43 0 d-------- C:\!KillBox
2007-03-10 01:07:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-03-05 18:01:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\HP
2007-03-05 17:57:40 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-03-05 17:40:48 5389 -----n--- C:\WINDOWS\hpomdl06.dat
2007-03-05 17:40:48 89277 --a------ C:\WINDOWS\hpoins06.dat
2007-03-05 03:35:32 0 d-------- C:\Program Files\IrfanView<IRFANV~1>
2007-02-27 21:37:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-02-27 17:51:06 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb<DOCTOR~1>
2007-02-27 11:18:31 0 d-------- C:\fixwareout<FIXWAR~1>
2007-02-26 18:15:32 135680 --a------ C:\WINDOWS\system32\T.COM
2007-02-26 18:15:32 146432 --a------ C:\WINDOWS\R.COM
2007-02-24 01:37:00 737431 --a------ C:\Program Files\SDFix.exe
2007-02-23 21:48:30 80 --a------ C:\WINDOWS\gmer_uninstall.cmd<GMER_U~1.CMD>
2007-02-23 21:45:42 0 d-------- C:\Program Files\Checker
2007-02-23 20:26:05 0 d-------- C:\Program Files\Grisoft
2007-02-23 20:22:12 0 d-------- C:\WINDOWS\ERDNT
2007-02-23 17:00:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-22 15:00:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\ScanSoft
2007-02-21 16:45:20 0 d--h----- C:\WINDOWS\PIF
2007-02-20 21:05:09 0 d-------- C:\Program Files\Viewpoint<VIEWPO~1>
2007-02-20 19:45:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-02-20 13:13:02 2354 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-20 10:10:10 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-20 04:08:34 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-17 01:11:09 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-15 11:56:37 0 d-------- C:\Program Files\Microsoft Picture It! PhotoPub<MIEE00~1>
2007-03-13 17:21:39 0 d-------- C:\Program Files\America Online 9.0<AMERIC~1.0>
2007-03-13 17:21:36 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-13 17:21:34 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-03-13 17:21:34 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-12 20:02:44 0 d-------- C:\Program Files\AOL
2007-03-08 22:25:17 0 d-------- C:\Program Files\PhoneTreeMVPu<PHONET~1>
2007-03-07 20:26:17 0 d-------- C:\Program Files\CCleaner
2007-03-01 21:30:51 0 d-------- C:\Program Files\Common Files\Ahead
2007-02-24 19:35:42 0 d-------- C:\Program Files\Google
2007-02-24 19:35:02 0 d-------- C:\Program Files\Common Files\Scanner
2007-02-21 23:29:53 0 d-------- C:\Program Files\Common Files\Xerox Shared<XEROXS~1>
2007-02-20 09:00:20 0 d-------- C:\Program Files\Common Files\AOL
2007-02-17 15:44:21 0 d-------- C:\Program Files\Dell Printers<DELLPR~1>
2007-02-17 15:44:09 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-02-08 00:52:18 0 d-------- C:\Documents and Settings\Marla\Application Data\Viewpoint<VIEWPO~1>
2007-01-29 03:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-12 10:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 10:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 10:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 10:27:42 6054400 -----n--- C:\WINDOWS\system32\ieframe.dll
2007-01-08 20:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 20:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 20:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 20:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 20:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 20:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 20:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 20:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 20:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 20:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 19:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 19:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-03 23:17:01 774144 --a------ C:\Program Files\RngInterstitial.dll<RNGINT~1.DLL>
2006-12-19 16:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 13:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HostManager"="\"C:\\Program Files\\Common Files\\AOL\\1127327071\\ee\\AOLSoftware.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"DLPSP"="\"C:\\Program Files\\Dell Printers\\Additional Color Laser Software\\Status Monitor\\DLPSP.EXE\""
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\INSTAN~1.EXE /h"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON SMART PANEL for Scanner.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\EPSON SMART PANEL for Scanner.lnk"
"backup"="C:\\WINDOWS\\pss\\EPSON SMART PANEL for Scanner.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EPSON\\EPSONS~1\\ESPMAIN.EXE /h"
"item"="EPSON SMART PANEL for Scanner"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Image Zone Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Image Zone Fast Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Picture Package Menu.lnk"
"backup"="C:\\WINDOWS\\pss\\Picture Package Menu.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SONYCO~1\\PICTUR~1\\PICTUR~3\\SonyTray.exe "
"item"="Picture Package Menu"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Picture Package VCD Maker.lnk"
"backup"="C:\\WINDOWS\\pss\\Picture Package VCD Maker.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SONYCO~1\\PICTUR~1\\PICTUR~1\\RESIDE~1.EXE -h"
"item"="Picture Package VCD Maker"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marla^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
"path"="C:\\Documents and Settings\\Marla\\Start Menu\\Programs\\Startup\\reminder-ScanSoft Product Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\reminder-ScanSoft Product Registration.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\TEXTBR~1.0\\Ereg\\REMIND32.EXE "
"item"="reminder-ScanSoft Product Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="???\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{986cc518-7818-11db-95cb-00038a000015}]
Shell\AutoRun\command F:\LaunchU3.exe -a


-- End of ComboScan: finished at 2007-03-18 at 19:00:33 ------------------------
Past help: http://www.techsupportforum.com/security-c...installing.html

Edited by marlajm, 18 March 2007 - 08:14 PM.


BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:21 AM

Posted 19 March 2007 - 04:52 PM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe
C:\WINDOWS\system32\TASKMGR.COM
C:\WINDOWS\REGEDIT.COM
C:\WINDOWS\system32\T.COM
C:\WINDOWS\R.COM
C:\WINDOWS\system32\tmp.reg


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#3 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 19 March 2007 - 08:35 PM

I sent along the files as you instructed. Should I submit a couple of the files that showed data but when I submitted them to virus scan & Jotti they came back as having none?

I wasn't able to save the IceSword log like this. It found 45 errors, mostly the Kaperskey drivers but also some of the vsdatant type. I can note the others, the vsdatant type if you want. I don't know why it won't let me save that log.

Do you want the autostart logs from HJT or GMER?

I assume you want the regular Hijack log or do you want the Comboscan variety? I will send the regular for now.

Blacklight didn't reveal anything.

Here are the other logs you wanted to see:

Gmer:
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-19 17:14:33
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 7 Bytes JMP F2B2D120 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP F2B2A2A0 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80503C29 5 Bytes JMP F2B29E10 \??\C:\WINDOWS\system32\drivers\klif.sys
? srescan.sys The system cannot find the file specified.
.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 7 Bytes JMP F2B2D120 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP F2B2A2A0 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80503C29 5 Bytes JMP F2B29E10 \??\C:\WINDOWS\system32\drivers\klif.sys

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F2D302A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F2D302A0] vsdatant.sys

---- Threads - GMER 1.0.12 ----

Thread 4:116 822838E0
Thread 4:120 822838E0
Thread 4:124 8225C8D0
Thread 4:128 8225C8D0
Thread 4:132 8225C8D0
Thread 4:332 822838E0
Thread 4:396 822838E0

---- EOF - GMER 1.0.12 ----


Logfile of HijackThis v1.99.1
Scan saved at 8:02:59 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\program files\common files\aol\1127327071\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127327071\ee\aolsoftware.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marla\Desktop\scanner2\Marla.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118153487515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122422829054
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I will send the others along if you like....the Combscan and startups.

Many thanks,
Marla

#4 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 20 March 2007 - 11:53 AM

PS. When I went to paste the blacklight scan the copy wasn't in the folder. I searched and it was gone. So, I redownloaded the command version and it scanned for awhile and then, poof, it shut down and disappeared with no report or anything.

Also, my computer makes these screeching grinding sounds from time to time.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:21 AM

Posted 20 March 2007 - 12:18 PM

Sure send me some samples of the files that jottie and VT are having probs with. I still have not had a chance to look at the files you sent me. I will today though. As for whats been shown so far in this thread, there is nothing bad here. Go ahead and post a comboscan log.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:21 AM

Posted 20 March 2007 - 01:26 PM

Screeching/grinding noises are always bad. Is there any way you can pinpoint what hardware is making that noise?

Typically when people describe grinding noises its the hard drives which could be the cause of all your issues.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:21 AM

Posted 21 March 2007 - 04:26 PM

Marla,

I looked at the files and they all appear to be the normal .exe files renamed .com. For example T.com is actually tskmgr.exe.

It is really strange that you would have these files and I am concerned that even though you maybe have removed any infections, who knows what was done on your system when you were infected.

#8 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 22 March 2007 - 01:42 PM

Yes, I have a number of files like those, "forbidding name" but are empty folders. It is strange.

Here is the latest HijackThis log. I ran the new version of ComboScan, by the way, and it removed about:blank even though it hasn't been revealing itself in the logs. And, so far I haven't seen it loading. I still have ATWOLA, however. I tried to click on the temporary internet file for Tribalfusion and it disappeared!


Logfile of HijackThis v1.99.1
Scan saved at 1:32:37 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\devldr32.exe
c:\program files\common files\aol\1127327071\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127327071\ee\aolsoftware.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118153487515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122422829054
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I will run another of the new Combos and post it. I am also going to submit some of the other files that were found to be problematic by either Jotti or VirusScan.

Many thanks,
Marla

Edited by marlajm, 22 March 2007 - 01:43 PM.


#9 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 23 March 2007 - 03:31 PM

I submitted the other files. Most were found suspicious or to be trojans or worms by one or more sources in Jotti and/or Virus Scan, even Svchost.exe.....I hope you get the "right" one. In the registry I found that svchost.exe had 35 associations with it, is that normal?

About:blank is back and I found these AppInit_DLLs in the registry. I tried Gmer and IceSword and couldn't find a value for the second one. Gmer's startup list shows it there but with no value. It doesn't show up on HijackThis or any other scan. see attachment for registry entry and Gmer startup list.Attached File  startupGmer2.txt   37.62KB   7 downloadsAttached File  registry_questions.txt   982bytes   4 downloads

I also don't know how to get Gmer or Icesword to save a complete log and I can't cut and paste. In services, for example: Services, there are many that are disabled.

Abiosdsk DISABLED
abp480n5 Disabled
Alerter Disabled

I looked at the dates when those first group of files were created and they were all within a minute of my first use of Superantispy which MWAV still finds as a trojan or worm.

I cannot access my temporary internet files to submit. Sometimes I can see them and sometimes I can't. Tribalfusion is on that list, by the way.

Do Dell land HP HAVE to be on startup? Also, Textbridge Pro Instant Access, which does not run with the file it is supposed to?

Here is a Hijack Log. I accidentally did a combofix instead of a comboscan and about:blank popped up on the HijackThis scan. I am also attaching some registry entries.Attached File  Deckardcombo.txt   21.8KB   6 downloadsAttached File  AboutBlank_in_registry.txt   6.66KB   2 downloads

Thanks again. Am I clean? paranoid? or should I reinstall?
Marla

Edited by marlajm, 24 March 2007 - 12:07 AM.


#10 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 23 March 2007 - 05:44 PM

NTDVM.exe....just accessed the internet. This app didn't ask. I was working on something in the room and heard the sound of a finished scan or something. Nothing on the screen, nothing on the bottom bar, so I opened Zone Alarm and this file had accessed or tried to access the internet. Deckard/combo shows nothing....no files created,nothing.

By the way I ran your services scan Attached File  getservice.txt   45.07KB   2 downloads but the second one, psssservice, didn't work. I saw things on the black screen and then it closed but no log saved or anything. (I found it while researching registry entries and came across your article!)

Thoughts?


NOTE: I did this before the last two scans....the Deckard and the about entries!!! Sorry, I meant to amend this one.

Edited by marlajm, 24 March 2007 - 12:09 AM.


#11 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 24 March 2007 - 01:56 PM

Ok, so I tried the A-squared Hijackfree. Oh my gosh. How do I proceed?
I will attach some of the logs. Some I hand copied because I kept getting phoney error messages, out of memory, access violation 2 address. I wrote down the numbers by hand because it froze my system. There are still some blocked or hidden items but some more were revealed.

the Access Violation error messages were about:

7C932158 in module ntdll.dll read of address EACF8E74

7714CA1E in module oleaut32.dll read of address 00256000

7C9118D0 in module ntdll.dll read of 00020000

I got the out of memory error when I was exploring autoexec msedexnt.exe, redir. and dosx

Here are these entries in more detail:
autoexce.bat
%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625

Name:PATH
File Name: 030625
File path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\ProgramFiles\
QuickTime\QTSystem\;;C:\Progra~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\
%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625

Description: info not available

Company: info not available

Version: info not available

Copyright: info not available


Autoexec.nt

lh
%SystemRoot%\system32\mscdexnt.exe
mscdexnt.exe
C:\WINDOWS\system32

lh
%SystemRoot%\system32\redir
redir
C:\WINDOWS\system32\

lh
%SystemRoot%\system32\dosx
FileNamedosx
C:\WINDOWS\system32\

SET BLASTER [Sound blaster?]
A220 I5 D1 P330 T3

Config.nt
error message--out of memory

device %SystemRoot%\system32\himem.sys
C:\WINDOWS\system32\himem.sys
file name: himem.sys
no other info available

dos high, umb
location high, umb

files 40
no other info available

AutoStart Menu
SA c:\WINDOWS\tasks
file name: SA.DAT
File path: C:\WINDOWS\tasks
no other info available


WINLogon
Name: Shell
Location: Explorer.exe HKEY_LOCAL_MACHINE
file path not available

ACTIVE SETUP
(many!

SHELL OPEN COMMAND
Application *%1%*
Location *%1%*
no other information available

I will attach the other reports.

Here is the HijackFree log:

Logfile of HiJackFree v2.1
Scan saved at 2:44:02 AM, on 3/24/2007
Platform: Windows XP Service Pack 2 (Windows NT 5.1.2600)
MSIE: Internet Explorer v 7.0 Service Pack 2 (7.0.5730.11)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\devldr32.exe
c:\program files\common files\aol\1127327071\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1127327071\ee\aolsoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\a-squared Daddyo\a2hijackfree.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1127327071\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe
O23 - Service: Application Layer Gateway Service - C:\WINDOWS\System32\alg.exe
O23 - Service: AOL Connectivity Service - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Application Management - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: Windows Audio - C:\WINDOWS\System32\svchost.exe
O23 - Service: Active Virus Shield - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Background Intelligent Transfer Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: Computer Browser - C:\WINDOWS\System32\svchost.exe
O23 - Service: Indexing Service - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: COM+ System Application - C:\WINDOWS\System32\dllhost.exe
O23 - Service: Cryptographic Services - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher - C:\WINDOWS\system32\svchost
O23 - Service: DHCP Client - C:\WINDOWS\System32\svchost.exe
O23 - Service: Dell Printer Status Watcher - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: Logical Disk Manager Administrative Service - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client - C:\WINDOWS\System32\svchost.exe
O23 - Service: Error Reporting Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System - C:\WINDOWS\System32\svchost.exe
O23 - Service: Fast User Switching Compatibility - C:\WINDOWS\System32\svchost.exe
O23 - Service: Help and Support - C:\WINDOWS\System32\svchost.exe
O23 - Service: Human Interface Device Access - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL - C:\WINDOWS\System32\svchost.exe
O23 - Service: InstallDriver Table Manager - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service - C:\WINDOWS\System32\imapi.exe
O23 - Service: iPodService - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server - C:\WINDOWS\System32\svchost.exe
O23 - Service: Workstation - C:\WINDOWS\System32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper - C:\WINDOWS\System32\svchost.exe
O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe
O23 - Service: NetMeeting Remote Desktop Sharing - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator - C:\WINDOWS\System32\msdtc.exe
O23 - Service: Windows Installer - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Network DDE - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon - C:\WINDOWS\System32\lsass.exe
O23 - Service: Network Connections - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) - C:\WINDOWS\System32\svchost.exe
O23 - Service: NT LM Security Support Provider - C:\WINDOWS\System32\lsass.exe
O23 - Service: Removable Storage - C:\WINDOWS\system32\svchost.exe
O23 - Service: NVIDIA Driver Helper Service - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IPSEC Services - C:\WINDOWS\System32\lsass.exe
O23 - Service: Protected Storage - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Access Connection Manager - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) Locator - C:\WINDOWS\System32\locator.exe
O23 - Service: Remote Procedure Call (RPC) - C:\WINDOWS\system32\svchost
O23 - Service: QoS RSVP - C:\WINDOWS\System32\rsvp.exe
O23 - Service: Security Accounts Manager - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) - C:\WINDOWS\system32\svchost.exe
O23 - Service: Shell Hardware Detection - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: SSDP Discovery Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) - C:\WINDOWS\System32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider - C:\WINDOWS\System32\dllhost.exe
O23 - Service: Performance Logs and Alerts - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services - C:\WINDOWS\System32\svchost
O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host - C:\WINDOWS\System32\svchost.exe
O23 - Service: Uninterruptible Power Supply - C:\WINDOWS\System32\ups.exe
O23 - Service: TrueVector Internet Monitor - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Volume Shadow Copy - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time - C:\WINDOWS\System32\svchost.exe
O23 - Service: WAN Miniport (ATW) Service - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter - C:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: Security Center - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service - C:\WINDOWS\System32\svchost.exe

This host entry redirects all web requests for localhost to 127.0.0.1.

The details, which are numerous, show that many of the processes aren't what they say they are.
attached are some of the logs. Attached File  shell_extension.txt   29.78KB   5 downloadsAttached File  shell_extension.txt   29.78KB   7 downloadsAttached File  explorer_active_X_extensions.txt   264bytes   7 downloadsAttached File  Wndows_logon.htm   46.81KB   8 downloads

Attached Files


Edited by marlajm, 24 March 2007 - 02:09 PM.


#12 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 26 March 2007 - 02:14 AM

I have 97 copies of desktop.ini, down from the over 120 of last week, up from the 4 I had this morning.
Do you think the AsquaredHijackfree online analysis has a lot of false positives?

Edited by marlajm, 26 March 2007 - 02:20 AM.


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:21 AM

Posted 26 March 2007 - 11:58 AM

You have a lot of questions, so I am going to answer all of them.

[quote]I submitted the other files. Most were found suspicious or to be trojans or worms by one or more sources in Jotti and/or Virus Scan, even Svchost.exe.....I hope you get the "right" one. In the registry I found that svchost.exe had 35 associations with it, is that normal?[/quote]

The files did not get submitted properly. The cab file you submitted did not contain anything unfortunately.

Also it is perfectly normal for there to be a ton of services runing under svchost processes. You are saying you have 35 svchost processes running or 35 different services running under svchost? If its the former, that is weird. If it is the latter, it is normal. From your logs it does not appear that you have 35 svchost processes running though. If you mean all the services in the gmer.log starting from svchost.exe that is normal. You can read more about svchost.exe here:

http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchost.exe-process/

[quote]About:blank is back and I found these AppInit_DLLs in the registry.[/quote]

What appinit_dlls entries? Gmer shows it as blank which is perfectly valid. The appinit_dlls value always exists, even if it has no data. What file were you seeing in other scans?

[quote]I also don't know how to get Gmer or Icesword to save a complete log and I can't cut and paste. In services, for example: Services, there are many that are disabled.[/quote]

It is perfectly normal for services to be disabled by default when you install Windows. I can not give you the technical reason, but it is normal.

[quote]I looked at the dates when those first group of files were created and they were all within a minute of my first use of Superantispy which MWAV still finds as a trojan or worm.[/quote]

Is it possible these files were installed by SuperAntispyware? This is a legitimate program btw.

[quote]I cannot access my temporary internet files to submit. Sometimes I can see them and sometimes I can't. Tribalfusion is on that list, by the way.[/quote]

That I find strange but have no explanation for it. If you have it disabled to see hidden files, then you will not be able to see it.

[quote]Do Dell land HP HAVE to be on startup? Also, Textbridge Pro Instant Access, which does not run with the file it is supposed to?[/quote]

Not sure to be honest. Disable them via msconfig and see if anything is not working. It probably just wont load the status monitor for that printer so you wont get alerts if there is low ink or problems.

[quote]Here is a Hijack Log. I accidentally did a combofix instead of a comboscan and about:blank popped up on the HijackThis scan. I am also attaching some registry entries.Attached File Deckardcombo.txt ( 21.8k ) Number of downloads: 0[/quote]

Do you have Internet Explorer set to open to a blank page? If so thats the about:blank.

Feel free to delete these files:

C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\system32\CMMGR32.EXE


They are 0 byte and not affecting you but they do look like they were an attempt to infect you that did not work.

[quote]NTDVM.exe....just accessed the internet. This app didn't ask. I was working on something in the room and heard the sound of a finished scan or something. Nothing on the screen, nothing on the bottom bar, so I opened Zone Alarm and this file had accessed or tried to access the internet. Deckard/combo shows nothing....no files created,nothing.[/quote]

NTDVM or ntvdm.exe? Spelling is important.

[quote]The details, which are numerous, show that many of the processes aren't what they say they are.
attached are some of the logs.[/quote]

I am not sure where you are seeing this?


[quote]I have 97 copies of desktop.ini, down from the over 120 of last week, up from the 4 I had this morning.[/quote]

Desktop.ini's are normal to see when you can see hidden files. Ignore this .. not even sure why they are reporting it.

[quote]Thanks again. Am I clean? paranoid? or should I reinstall?[/quote]

Hehe..I think a bit paranoid :thumbsup: Paranoia is a good thing, though, when dealing with computers. As for ASquare HijackFree...i am not really familiar with it.

I personally think you are coming down with a bad case of Security Overload. Too many tools are starting to muddy the picture. I honestly do not see anything wrong here.

#14 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 27 March 2007 - 12:18 AM

Thanks so much for answering. Here are some answers and some questions! : )

Regarding the second batch of files you requested I send to you:

The files did not get submitted properly. The cab file you submitted did not contain anything unfortunately.


What did I do wrong and how can I correct it? I would like to try again.

QUOTE
NTDVM.exe....just accessed the internet. This app didn't ask. I was working on something in the room and heard the sound of a finished scan or something. Nothing on the screen, nothing on the bottom bar, so I opened Zone Alarm and this file had accessed or tried to access the internet. Deckard/combo shows nothing....no files created,nothing.


NTDVM or ntvdm.exe? Spelling is important.


NTVDM.exe...you are correct. Sorry

Do you have Internet Explorer set to open to a blank page? If so thats the about:blank.


No, my home page is supposed to be MSN.com

Feel free to delete these files:

C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\system32\CMMGR32.EXE


I have tried to delete most of these, if not all, but they came back. I think I used killbox, if I remember correctly. I also tried to delete viewpoint media player and it reinstalls as well.

I am still having trouble, navigational errors, etc. Also, anything on the Prepare to Die message, 404 error when I tried scanning files at Jotti?

Thanks again,
Marla

Edited by marlajm, 27 March 2007 - 12:27 AM.


#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:21 AM

Posted 27 March 2007 - 08:47 AM

What did I do wrong and how can I correct it? I would like to try again.


I am not sure to be honest. What you can try doing is submitting the files individually one at a time instead of using the file packer.

NTVDM.exe...you are correct. Sorry


This is a legit file and you do not have to worry about it.


I am still having trouble, navigational errors, etc. Also, anything on the Prepare to Die message, 404 error when I tried scanning files at Jotti?


No thats a new one to me and cant find any info on that.

I honestly am not sure what to tell you. Let's try this last thing:

Run HijackThis.
Click on Open the Misc Tools Section.
Then press Generate StartupList log, making sure that both boxes next to it are checked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Paste this log in your next reply.
More information with a screenshot, can be found here

If we do not see anything here, then my next suggestion is to back up your data and reinstall to be safe.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users