Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Assitance With Spyware Removal


  • Please log in to reply
3 replies to this topic

#1 fasxt2000

fasxt2000

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 23 April 2007 - 05:34 PM

Thanks in advance for any help getting this resolved. My problem started today when I mistyped a domain name and went to a bogus site, I don't even think I clicked anything. All of a sudden ZoneAlarm alerts me to a bunch of suspicious programs trying to access the internet and and MS Outlook keeps trying to open. I closed all my windows deleted everything in my Temp folders and rebooted, but now I get a bunch of pop-ups whenever I run Internet Explorer.

I read the "Preparation Guide" before posting and completed all the steps requested. Adaware and Spybot found a few minor items, but didn't solve my problem with the IE pop-ups.

I saw all the how-to guides on removing specific spyware. I'd be comfortable following those instructions myself, but the one topic I couldn't find was how to identify the specific type of infection. So hopefully you can help me with that. Here's my log:

Scan saved at 5:00:19 PM, on 4/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Max Action\Desktop\del_it\hijack\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {0454EC0A-D842-4CD3-80BC-7D132B526617} - C:\WINNT\system32\urqno.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\sdyjfxys.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINNT\system32\mljkjgg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10fffc4e043178...ip/RdxIE601.cab
O20 - Winlogon Notify: mljkjgg - C:\WINNT\SYSTEM32\mljkjgg.dll
O20 - Winlogon Notify: urqno - C:\WINNT\system32\urqno.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) - Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4517 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 23 April 2007 - 06:07 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum fasxt2000 :thumbsup:

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

******************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Restart your pc.
Post the C:\vundofix.txt,the C:\ComboFix.txt,and a new Hijackthis log into your next reply please.

Posted Image
Posted Image

#3 fasxt2000

fasxt2000
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 23 April 2007 - 07:07 PM

OK, I performed the recommended steps. So far I haven't noticed any pop-ups or other obvious signs of spyware. Here are my logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:56:09 PM, on 4/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Documents and Settings\Max Action\Desktop\del_it\hijack\HijackThis2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {0454EC0A-D842-4CD3-80BC-7D132B526617} - C:\WINNT\system32\urqno.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\sdyjfxys.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/10fffc4e043178...ip/RdxIE601.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) - Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe" -s "C:\Program Files\Freenet\wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
*******************************************************

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 6:39:09 PM 4/23/2007

Listing files found while scanning....

C:\WINNT\system32\mljkjgg.dll
C:\WINNT\system32\onqru.bak1
C:\WINNT\system32\onqru.ini
C:\WINNT\system32\tvlbixgr.dll
C:\WINNT\system32\urqno.dll
C:\WINNT\system32\yayawuu.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\mljkjgg.dll
C:\WINNT\system32\mljkjgg.dll Has been deleted!

Attempting to delete C:\WINNT\system32\onqru.bak1
C:\WINNT\system32\onqru.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\onqru.ini
C:\WINNT\system32\onqru.ini Has been deleted!

Attempting to delete C:\WINNT\system32\tvlbixgr.dll
C:\WINNT\system32\tvlbixgr.dll Has been deleted!

Attempting to delete C:\WINNT\system32\urqno.dll
C:\WINNT\system32\urqno.dll Has been deleted!

Attempting to delete C:\WINNT\system32\yayawuu.dll
C:\WINNT\system32\yayawuu.dll Has been deleted!

Performing Repairs to the registry.
Done!
*****************************************************

"Computer" - Mon 04/23/2007 18:47:56 Service Pack 4
ComboFix 07-04-24.2V - Running from: "C:\Documents and Settings\User\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\tustt.dll
C:\WINNT\system32\sdyjfxys.dll
C:\WINNT\system32\ttsut.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe


((((((((((((((((((((((((((((((( Files Created from 2002-01-07 to 20/23/2007 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2012/07/99 07:00a 9680 --a------ C:\WINNT\system32\drivers\netdtect.sys
2012/07/99 07:00a 88816 --a------ C:\WINNT\system32\drivers\lvcam.sys
2012/07/99 07:00a 8016 --a------ C:\WINNT\system32\drivers\rasacd.sys
2012/07/99 07:00a 79120 --a------ C:\WINNT\system32\drivers\lvcodek.sys
2012/07/99 07:00a 6512 --a------ C:\WINNT\system32\drivers\parvdm.sys
2012/07/99 07:00a 6032 --a------ C:\WINNT\system32\drivers\rootmdm.sys
2012/07/99 07:00a 59280 --a------ C:\WINNT\system32\drivers\vdmindvd.sys
2012/07/99 07:00a 58480 --a------ C:\WINNT\system32\drivers\nwlnkspx.sys
2012/07/99 07:00a 57904 --a------ C:\WINNT\system32\drivers\atmarpc.sys
2012/07/99 07:00a 52048 --a------ C:\WINNT\system32\drivers\tosdvd.sys
2012/07/99 07:00a 4240 --a------ C:\WINNT\system32\drivers\wmilib.sys
2012/07/99 07:00a 4240 --a------ C:\WINNT\system32\drivers\mnmdd.sys
2012/07/99 07:00a 4080 --a------ C:\WINNT\system32\drivers\beep.sys
2012/07/99 07:00a 40432 --a------ C:\WINNT\system32\drivers\ndproxy.sys
2012/07/99 07:00a 3728 --a------ C:\WINNT\system32\drivers\swenum.sys
2012/07/99 07:00a 37040 --a------ C:\WINNT\system32\drivers\npfs.sys
2012/07/99 07:00a 35344 --a------ C:\WINNT\system32\drivers\nwlnkfwd.sys
2012/07/99 07:00a 35024 --a------ C:\WINNT\system32\drivers\rawwan.sys
2012/07/99 07:00a 34416 --a------ C:\WINNT\system32\drivers\ipfltdrv.sys
2012/07/99 07:00a 33456 --a------ C:\WINNT\system32\drivers\netbios.sys
2012/07/99 07:00a 2800 --a------ C:\WINNT\system32\drivers\null.sys
2012/07/99 07:00a 272496 --a------ C:\WINNT\system32\drivers\cinemst2.sys
2012/07/99 07:00a 23888 --a------ C:\WINNT\system32\drivers\usbcamd.sys
2012/07/99 07:00a 22000 --a------ C:\WINNT\system32\drivers\tsbvcap.sys
2012/07/99 07:00a 21712 --a------ C:\WINNT\system32\drivers\rca.sys
2012/07/99 07:00a 21328 --a------ C:\WINNT\system32\drivers\msfs.sys
2012/07/99 07:00a 19984 --a------ C:\WINNT\system32\drivers\ipinip.sys
2012/07/99 07:00a 19088 --a------ C:\WINNT\system32\drivers\cdaudio.sys
2012/07/99 07:00a 17424 --a------ C:\WINNT\system32\drivers\lvsound.sys
2012/07/99 07:00a 16880 --a------ C:\WINNT\system32\drivers\raspti.sys
2012/07/99 07:00a 15120 --a------ C:\WINNT\system32\drivers\usbintel.sys
2012/07/99 07:00a 14832 --a------ C:\WINNT\system32\drivers\smclib.sys
2012/07/99 07:00a 13968 --a------ C:\WINNT\system32\drivers\vga.sys
2012/07/99 07:00a 12880 --a------ C:\WINNT\system32\drivers\class2.sys
2012/07/99 07:00a 12560 --a------ C:\WINNT\system32\drivers\nwlnkflt.sys
2012/07/99 07:00a 12368 --a------ C:\WINNT\system32\drivers\fsvga.sys
2012/07/99 07:00a 12016 --a------ C:\WINNT\system32\drivers\ws2ifsl.sys
2012/07/99 07:00a 105840 --a------ C:\WINNT\system32\drivers\streams.sys
2012/07/99 07:00a 102160 --a------ C:\WINNT\system32\drivers\nbf.sys
2012/07/99 07:00a 10064 --a------ C:\WINNT\system32\drivers\dxapi.sys
2011/19/99 09:20a 168112 --a------ C:\WINNT\system32\drivers\s3m.sys
2010/28/99 04:24p 51152 --a------ C:\WINNT\system32\drivers\DMusic.sys
2010/22/06 12:22p 3994624 --a------ C:\WINNT\system32\drivers\nv4_mini.sys
2010/22/01 07:31p 29696 --a------ C:\WINNT\system32\drivers\fetnd5a.sys
2009/25/99 11:36a 6640 --a------ C:\WINNT\system32\drivers\MSKSSRV.sys
2009/25/99 11:36a 5008 --a------ C:\WINNT\system32\drivers\MSPCLOCK.sys
2009/25/99 11:36a 4816 --a------ C:\WINNT\system32\drivers\MSPQM.sys
2009/25/99 05:35a 2896 --a------ C:\WINNT\system32\drivers\audstub.sys
2009/24/99 08:17p 27408 --a------ C:\WINNT\system32\drivers\genan5.sys
2009/09/04 12:21p 43212 --a------ C:\WINNT\system32\drivers\ALABULKO.SYS
2007/30/02 04:42p 9038 --a------ C:\WINNT\system32\drivers\viausb.sys
2007/24/02 04:30a 32128 --a------ C:\WINNT\system32\drivers\VIAAGP1.SYS
2007/12/02 04:17p 655596 -ra------ C:\WINNT\system32\drivers\ALCXWDM.SYS
2006/19/03 02:05p 93360 --a------ C:\WINNT\system32\drivers\ndiswan.sys
2006/19/03 02:05p 9200 --a------ C:\WINNT\system32\drivers\ndistapi.sys
2006/19/03 02:05p 91408 --a------ C:\WINNT\system32\drivers\NWLNKIPX.SYS
2006/19/03 02:05p 87888 --a------ C:\WINNT\system32\drivers\mup.sys
2006/19/03 02:05p 86672 --a------ C:\WINNT\system32\drivers\atapi.sys
2006/19/03 02:05p 7728 --a------ C:\WINNT\system32\drivers\diskperf.sys
2006/19/03 02:05p 7600 --a------ C:\WINNT\system32\drivers\fs_rec.sys
2006/19/03 02:05p 74192 --a------ C:\WINNT\system32\drivers\SCSIPORT.SYS
2006/19/03 02:05p 73872 --a------ C:\WINNT\system32\drivers\wdmaud.sys
2006/19/03 02:05p 7312 --a------ C:\WINNT\system32\drivers\dmload.sys
2006/19/03 02:05p 71888 --a------ C:\WINNT\system32\drivers\ksecdd.sys
2006/19/03 02:05p 67120 --a------ C:\WINNT\system32\drivers\ipnat.sys
2006/19/03 02:05p 65520 --a------ C:\WINNT\system32\drivers\nwlnknb.sys
2006/19/03 02:05p 64304 --a------ C:\WINNT\system32\drivers\ipsec.sys
2006/19/03 02:05p 62736 --a------ C:\WINNT\system32\drivers\serial.sys
2006/19/03 02:05p 62672 --a------ C:\WINNT\system32\drivers\udfs.sys
2006/19/03 02:05p 61680 --a------ C:\WINNT\system32\drivers\cdfs.sys
2006/19/03 02:05p 60496 --a------ C:\WINNT\system32\drivers\psched.sys
2006/19/03 02:05p 60208 --a------ C:\WINNT\system32\drivers\parallel.sys
2006/19/03 02:05p 59312 --a------ C:\WINNT\system32\drivers\pci.sys
2006/19/03 02:05p 57296 --a------ C:\WINNT\system32\drivers\irda.sys
2006/19/03 02:05p 57264 --a------ C:\WINNT\system32\drivers\mf.sys
2006/19/03 02:05p 56112 --a------ C:\WINNT\system32\drivers\DLC.SYS
2006/19/03 02:05p 53552 --a------ C:\WINNT\system32\drivers\swmidi.sys
2006/19/03 02:05p 534192 --a------ C:\WINNT\system32\drivers\ntfs.sys
2006/19/03 02:05p 52112 --a------ C:\WINNT\system32\drivers\rasl2tp.sys
2006/19/03 02:05p 50640 --a------ C:\WINNT\system32\drivers\videoprt.sys
2006/19/03 02:05p 49776 --------- C:\WINNT\system32\drivers\usbhub20.sys
2006/19/03 02:05p 48496 --a------ C:\WINNT\system32\drivers\atmlane.sys
2006/19/03 02:05p 48464 --a------ C:\WINNT\system32\drivers\raspptp.sys
2006/19/03 02:05p 47568 --a------ C:\WINNT\system32\drivers\sysaudio.sys
2006/19/03 02:05p 46992 --a------ C:\WINNT\system32\drivers\isapnp.sys
2006/19/03 02:05p 46992 --a------ C:\WINNT\system32\drivers\i8042prt.sys
2006/19/03 02:05p 42000 --a------ C:\WINNT\system32\drivers\stream.sys
2006/19/03 02:05p 418640 --a------ C:\WINNT\system32\drivers\mrxsmb.sys
2006/19/03 02:05p 40176 --a------ C:\WINNT\system32\drivers\usbhub.sys
2006/19/03 02:05p 37552 --a------ C:\WINNT\system32\drivers\nmnt.sys
2006/19/03 02:05p 369104 --a------ C:\WINNT\system32\drivers\dmboot.sys
2006/19/03 02:05p 35344 --a------ C:\WINNT\system32\drivers\redbook.sys
2006/19/03 02:05p 34832 --a------ C:\WINNT\system32\drivers\classpnp.sys
2006/19/03 02:05p 34704 --a------ C:\WINNT\system32\drivers\msgpc.sys
2006/19/03 02:05p 33616 --------- C:\WINNT\system32\drivers\fips.sys
2006/19/03 02:05p 332144 --a------ C:\WINNT\system32\drivers\tcpip.sys
2006/19/03 02:05p 331088 --a------ C:\WINNT\system32\drivers\atmuni.sys
2006/19/03 02:05p 32848 --a------ C:\WINNT\system32\drivers\uhcd.sys
2006/19/03 02:05p 32272 --a------ C:\WINNT\system32\drivers\wanarp.sys
2006/19/03 02:05p 3088 --a------ C:\WINNT\system32\drivers\pciide.sys
2006/19/03 02:05p 30768 --a------ C:\WINNT\system32\drivers\DISK.SYS
2006/19/03 02:05p 29264 --a------ C:\WINNT\system32\drivers\mountmgr.sys
2006/19/03 02:05p 29168 --a------ C:\WINNT\system32\drivers\modem.sys
2006/19/03 02:05p 27984 --a------ C:\WINNT\system32\drivers\cdrom.sys
2006/19/03 02:05p 27440 --a------ C:\WINNT\system32\drivers\efs.sys
2006/19/03 02:05p 26256 --a------ C:\WINNT\system32\drivers\fdc.sys
2006/19/03 02:05p 25104 --a------ C:\WINNT\system32\drivers\parport.sys
2006/19/03 02:05p 24752 --a------ C:\WINNT\system32\drivers\hidclass.sys
2006/19/03 02:05p 24528 --a------ C:\WINNT\system32\drivers\kbdclass.sys
2006/19/03 02:05p 244944 --a------ C:\WINNT\system32\drivers\SRV.SYS
2006/19/03 02:05p 23056 --a------ C:\WINNT\system32\drivers\hidparse.sys
2006/19/03 02:05p 22064 --a------ C:\WINNT\system32\drivers\sonydcam.sys
2006/19/03 02:05p 22064 --a------ C:\WINNT\system32\drivers\pciidex.sys
2006/19/03 02:05p 21776 --a------ C:\WINNT\system32\drivers\mouclass.sys
2006/19/03 02:05p 20688 --a------ C:\WINNT\system32\drivers\usbd.sys
2006/19/03 02:05p 20208 --------- C:\WINNT\system32\drivers\msircomm.sys
2006/19/03 02:05p 19952 --a------ C:\WINNT\system32\drivers\irsir.sys
2006/19/03 02:05p 19920 --a------ C:\WINNT\system32\drivers\rasirda.sys
2006/19/03 02:05p 19728 --------- C:\WINNT\system32\drivers\usbehci.sys
2006/19/03 02:05p 19312 --a------ C:\WINNT\system32\drivers\flpydisk.sys
2006/19/03 02:05p 17840 --a------ C:\WINNT\system32\drivers\asyncmac.sys
2006/19/03 02:05p 17680 --a------ C:\WINNT\system32\drivers\ptilink.sys
2006/19/03 02:05p 174800 --a------ C:\WINNT\system32\drivers\rdbss.sys
2006/19/03 02:05p 173232 --a------ C:\WINNT\system32\drivers\UPDATE.SYS
2006/19/03 02:05p 170928 --a------ C:\WINNT\system32\drivers\ndis.sys
2006/19/03 02:05p 168624 --a------ C:\WINNT\system32\drivers\netbt.sys
2006/19/03 02:05p 163120 --a------ C:\WINNT\system32\drivers\acpi.sys
2006/19/03 02:05p 16240 --a------ C:\WINNT\system32\drivers\tdi.sys
2006/19/03 02:05p 161072 --a------ C:\WINNT\system32\drivers\nwrdr.sys
2006/19/03 02:05p 148400 --a------ C:\WINNT\system32\drivers\sfmatalk.sys
2006/19/03 02:05p 148304 --a------ C:\WINNT\system32\drivers\kmixer.sys
2006/19/03 02:05p 148208 --a------ C:\WINNT\system32\drivers\portcls.sys
2006/19/03 02:05p 14288 --a------ C:\WINNT\system32\drivers\diskdump.sys
2006/19/03 02:05p 14160 --a------ C:\WINNT\system32\drivers\serenum.sys
2006/19/03 02:05p 140496 --a------ C:\WINNT\system32\drivers\fastfat.sys
2006/19/03 02:05p 138288 --------- C:\WINNT\system32\drivers\usbport.sys
2006/19/03 02:05p 137936 --a------ C:\WINNT\system32\drivers\dmio.sys
2006/19/03 02:05p 120240 --a------ C:\WINNT\system32\drivers\AFD.SYS
2006/19/03 02:05p 11984 --------- C:\WINNT\system32\drivers\ndisuio.sys
2006/19/03 02:05p 11792 --a------ C:\WINNT\system32\drivers\partmgr.sys
2006/19/03 02:05p 115504 --a------ C:\WINNT\system32\drivers\ftdisk.sys
2006/19/03 02:05p 11536 --a------ C:\WINNT\system32\drivers\acpiec.sys
2006/19/03 02:05p 113744 --a------ C:\WINNT\system32\drivers\ks.sys
2006/19/03 02:05p 109584 --a------ C:\WINNT\system32\drivers\pcmcia.sys
2006/19/03 02:05p 10928 --a------ C:\WINNT\system32\drivers\tape.sys
2006/19/03 02:05p 10384 --a------ C:\WINNT\system32\drivers\sfloppy.sys
2006/19/03 02:05p 10288 --------- C:\WINNT\system32\drivers\irenum.sys
2003/01/02 05:22p 42752 -ra------ C:\WINNT\system32\drivers\ousb2hub.sys
2003/01/02 05:22p 29568 -ra------ C:\WINNT\system32\drivers\ousbehci.sys
2002/24/05 07:19p 36740 --a------ C:\WINNT\system32\drivers\ALABLK2O.SYS


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0454EC0A-D842-4CD3-80BC-7D132B526617} C:\WINNT\system32\urqno.dll [x]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINNT\system32\sdyjfxys.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"SoundMan"="SOUNDMAN.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 18:49:09
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: Mon 04/23/2007 18:49:11
C:\ComboFix-quarantined-files.txt ... 04/23/07 06:49p

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 24 April 2007 - 04:11 AM

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

*******************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {0454EC0A-D842-4CD3-80BC-7D132B526617} - C:\WINNT\system32\urqno.dll (file missing)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\sdyjfxys.dll (file missing)


Fix this following entry if you don't recognise it:
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload.cab
Exit Hijackthis.

*******************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Re-enable Spybot's protection.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users