Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo/smitfraud/torpig/probably A Lot Of Others


  • Please log in to reply
16 replies to this topic

#1 belh

belh

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 24 April 2007 - 02:15 PM

I came home from university before exams and my family throws this at me expecting me to remove everything :thumbsup: I go back on friday for my first exam on saturday so any help before then would be greatly appreciated. I've gone through all of the steps in your guide to posting a hijackthis log but that is all so far.

Logfile of HijackThis v1.99.1
Scan saved at 2:52:29 PM, on 24/04/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\WgaTray.exe
F:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
G:\iTunes\iTunesHelper.exe
C:\winnt\system32\drivers\uzcx.exe
C:\WINNT\System32\regscan.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iut75] c:\winnt\system32\drivers\uzcx.exe
O4 - HKCU\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Regscan] C:\WINNT\System32\regscan.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Background Monitor.lnk = F:\Program Files\esm2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://italianstallion15chico.spaces.live....ad/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mab....2006.11.16.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857D} - http://beaserver.internal.customeroperatio...e.WebLaunch.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


I never understand how they can get it this bad :s

BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 24 April 2007 - 03:26 PM

Rename HijackThis.exe to random.exe

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Post the vundofix log, the smitfraudfix log and a new HijackThis log

#3 belh

belh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 24 April 2007 - 04:04 PM

SmitFraudFix v2.171

Scan done at 16:58:19.28, 24/04/2007
Run from C:\Documents and Settings\matt\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
G:\iTunes\iTunesHelper.exe
C:\winnt\system32\drivers\uzcx.exe
C:\WINNT\System32\regscan.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\system32\cmd.exe

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\matt


C:\Documents and Settings\matt\Application Data


Start Menu


C:\DOCUME~1\matt\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32



DNS

Description: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
DNS Server Search Order: 64.71.255.198

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B973FF8A-91D0-45A0-91A7-8CD2D4DA9C14}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B973FF8A-91D0-45A0-91A7-8CD2D4DA9C14}: DhcpNameServer=24.153.23.66 24.153.22.195
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B973FF8A-91D0-45A0-91A7-8CD2D4DA9C14}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.153.23.66 24.153.22.195
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198


Scanning for wininet.dll infection


End









VundoFix V6.3.20

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 4:43:28 PM 24/04/2007

Listing files found while scanning....

C:\WINNT\system32\egwwnaax.dll
C:\WINNT\System32\gjkkj.bak2
C:\WINNT\System32\gjkkj.ini
C:\WINNT\system32\gssinkiy.dll
C:\WINNT\System32\jkkjg.dll
C:\WINNT\system32\ssqopmk.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\egwwnaax.dll
C:\WINNT\system32\egwwnaax.dll Has been deleted!

Attempting to delete C:\WINNT\System32\gjkkj.bak2
C:\WINNT\System32\gjkkj.bak2 Has been deleted!

Attempting to delete C:\WINNT\System32\gjkkj.ini
C:\WINNT\System32\gjkkj.ini Has been deleted!

Attempting to delete C:\WINNT\system32\gssinkiy.dll
C:\WINNT\system32\gssinkiy.dll Has been deleted!

Attempting to delete C:\WINNT\System32\jkkjg.dll
C:\WINNT\System32\jkkjg.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ssqopmk.dll
C:\WINNT\system32\ssqopmk.dll Has been deleted!

Performing Repairs to the registry.
Done!








Logfile of HijackThis v1.99.1
Scan saved at 5:01:04 PM, on 24/04/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
G:\iTunes\iTunesHelper.exe
C:\winnt\system32\drivers\uzcx.exe
C:\WINNT\System32\regscan.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\wuauclt.exe
C:\hijackthis\random.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\System32\myengqso.dll (file missing)
O2 - BHO: (no name) - {339D69C1-5AB9-46CD-9F18-E3AC96E4E6A6} - C:\WINNT\System32\jkkjg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iut75] c:\winnt\system32\drivers\uzcx.exe
O4 - HKCU\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Regscan] C:\WINNT\System32\regscan.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Background Monitor.lnk = F:\Program Files\esm2\STMS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://italianstallion15chico.spaces.live....ad/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mab....2006.11.16.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857D} - http://beaserver.internal.customeroperatio...e.WebLaunch.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe






Thank you for the help :thumbsup:

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 25 April 2007 - 01:33 PM

  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\System32\myengqso.dll (file missing)
O2 - BHO: (no name) - {339D69C1-5AB9-46CD-9F18-E3AC96E4E6A6} - C:\WINNT\System32\jkkjg.dll (file missing)
O4 - HKLM\..\Run: [iut75] c:\winnt\system32\drivers\uzcx.exe
O4 - HKCU\..\Run: [Regscan] C:\WINNT\System32\regscan.exe
O15 - Trusted Zone: *.winantivirus.com

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete these files:

c:\winnt\system32\drivers\uzcx.exe
C:\WINNT\System32\regscan.exe

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Post back with the Kaspersky log and a new HijackThis log

Edited by random/random, 25 April 2007 - 01:34 PM.


#5 belh

belh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 25 April 2007 - 05:24 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 25, 2007 6:18:44 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/04/2007
Kaspersky Anti-Virus database records: 302270
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 148639
Number of viruses found: 25
Number of infected objects: 49 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:52:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\56bfbb13a359700ae38d837baae40d8e_78b73fd4-33fd-47b5-b2aa-fdc8ad7e860f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\c74c6f795ada87022536668c055d2c0e_78b73fd4-33fd-47b5-b2aa-fdc8ad7e860f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\d6db39dc95f8de6ca01fe393d03427fe_78b73fd4-33fd-47b5-b2aa-fdc8ad7e860f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\da7d480703c31671cd042937d3e93bb2_78b73fd4-33fd-47b5-b2aa-fdc8ad7e860f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_78b73fd4-33fd-47b5-b2aa-fdc8ad7e860f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070425_Time-150947921_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070425_Time-150947921_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_CR727519-A.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_CR727519-A.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\dan\Application Data\xynrlywo.exe Infected: Trojan-Downloader.Win32.Swizzor.cu skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\matt\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\matt\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\matt\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\matt\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\matt\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\matt\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\matt\Local Settings\History\History.IE5\MSHist012007042520070426\index.dat Object is locked skipped
C:\Documents and Settings\matt\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\matt\ntuser.dat Object is locked skipped
C:\Documents and Settings\matt\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\KudosSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Downloads\LetsRideSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Downloads\PuppyLuv-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Downloads\TimeToRideSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-PSW.Win32.Agent.lk skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Sinowal.cp skipped
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\quarantine\tmp000ae052.Vir Object is locked skipped
C:\System Volume Information\_restore{6831EB81-6FF7-4C79-94FA-34D5E346BA0E}\RP105\change.log Object is locked skipped
C:\sysvepv.exe Infected: Trojan-Downloader.Win32.Small.cul skipped
C:\VundoFix Backups\egwwnaax.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\gssinkiy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\jkkjg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.iu skipped
C:\VundoFix Backups\ssqopmk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.il skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\gy.exe Infected: Trojan-Downloader.Win32.Small.ems skipped
C:\WINNT\Internet Logs\CR727519-A.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\actskn43.ocx Object is locked skipped
C:\WINNT\system32\advanced.ico Object is locked skipped
C:\WINNT\system32\atl71.dll Object is locked skipped
C:\WINNT\system32\Blumaroo Bounce.msf Object is locked skipped
C:\WINNT\system32\Blumaroo Bounce.scr Object is locked skipped
C:\WINNT\system32\Blumaroo Bounce.sx1 Object is locked skipped
C:\WINNT\system32\Blumaroo Bounce.sx2 Object is locked skipped
C:\WINNT\system32\BuzzingBee.wav Object is locked skipped
C:\WINNT\system32\capicom.dll Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\demoover.exe Object is locked skipped
C:\WINNT\system32\drmclien.dll Object is locked skipped
C:\WINNT\system32\EPPICLocal_BP.cfg Object is locked skipped
C:\WINNT\system32\EPPICLocal_CF.cfg Object is locked skipped
C:\WINNT\system32\EPPICLocal_EN.cfg Object is locked skipped
C:\WINNT\system32\EPPICLocal_ES.cfg Object is locked skipped
C:\WINNT\system32\EPPICLocal_FR.cfg Object is locked skipped
C:\WINNT\system32\EPPICLocal_PT.cfg Object is locked skipped
C:\WINNT\system32\EpPicMgr.dll Object is locked skipped
C:\WINNT\system32\EPPICPattern1.dat Object is locked skipped
C:\WINNT\system32\EPPICPattern2.dat Object is locked skipped
C:\WINNT\system32\EPPICPattern3.dat Object is locked skipped
C:\WINNT\system32\EPPICPattern4.dat Object is locked skipped
C:\WINNT\system32\EPPICPattern5.dat Object is locked skipped
C:\WINNT\system32\EPPICPattern6.dat Object is locked skipped
C:\WINNT\system32\EPPICPresetData_BP.dat Object is locked skipped
C:\WINNT\system32\EPPICPresetData_CF.dat Object is locked skipped
C:\WINNT\system32\EPPICPresetData_EN.dat Object is locked skipped
C:\WINNT\system32\EPPICPresetData_ES.dat Object is locked skipped
C:\WINNT\system32\EPPICPresetData_FR.dat Object is locked skipped
C:\WINNT\system32\EPPICPresetData_PT.dat Object is locked skipped
C:\WINNT\system32\EPPICPrinterDB.dat Object is locked skipped
C:\WINNT\system32\EpPicPrt.dll Object is locked skipped
C:\WINNT\system32\esccmd.dll Object is locked skipped
C:\WINNT\system32\escimgd.dll Object is locked skipped
C:\WINNT\system32\escwiad.dll Object is locked skipped
C:\WINNT\system32\Fish Tycoon.scr Object is locked skipped
C:\WINNT\system32\Flying Scorchio.msf Object is locked skipped
C:\WINNT\system32\Flying Scorchio.scr Object is locked skipped
C:\WINNT\system32\Flying Scorchio.sx1 Object is locked skipped
C:\WINNT\system32\Flying Scorchio.sx2 Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\KickCom2.dll Object is locked skipped
C:\WINNT\system32\Lang\Danish.txt Object is locked skipped
C:\WINNT\system32\Lang\Dutch.txt Object is locked skipped
C:\WINNT\system32\Lang\English.txt Object is locked skipped
C:\WINNT\system32\Lang\French.txt Object is locked skipped
C:\WINNT\system32\Lang\German.txt Object is locked skipped
C:\WINNT\system32\Lang\Italian.txt Object is locked skipped
C:\WINNT\system32\Lang\Japanese.txt Object is locked skipped
C:\WINNT\system32\Lang\Korean.txt Object is locked skipped
C:\WINNT\system32\Lang\Portuguese.txt Object is locked skipped
C:\WINNT\system32\Lang\Russian.txt Object is locked skipped
C:\WINNT\system32\Lang\SimChin.txt Object is locked skipped
C:\WINNT\system32\Lang\Spanish.txt Object is locked skipped
C:\WINNT\system32\Lang\SWEDISH.TXT Object is locked skipped
C:\WINNT\system32\Lang\TradChin.txt Object is locked skipped
C:\WINNT\system32\LegitCheckControl.dll Object is locked skipped
C:\WINNT\system32\LoopyMusic.wav Object is locked skipped
C:\WINNT\system32\mfc70.dll Object is locked skipped
C:\WINNT\system32\mfc71.dll Object is locked skipped
C:\WINNT\system32\MRT.exe Object is locked skipped
C:\WINNT\system32\msvcr70.dll Object is locked skipped
C:\WINNT\system32\nppt9x.vxd Object is locked skipped
C:\WINNT\system32\npptNT2.sys Object is locked skipped
C:\WINNT\system32\nscE.dll Object is locked skipped
C:\WINNT\system32\objsafe.tlb Object is locked skipped
C:\WINNT\system32\PICSDK.dll Object is locked skipped
C:\WINNT\system32\PICSDK.ini Object is locked skipped
C:\WINNT\system32\pncrt.dll Object is locked skipped
C:\WINNT\system32\pndx5016.dll Object is locked skipped
C:\WINNT\system32\pndx5032.dll Object is locked skipped
C:\WINNT\system32\px.dll Object is locked skipped
C:\WINNT\system32\pxdrv.dll Object is locked skipped
C:\WINNT\system32\pxhpinst.exe Object is locked skipped
C:\WINNT\system32\pxmas.dll Object is locked skipped
C:\WINNT\system32\pxwave.dll Object is locked skipped
C:\WINNT\system32\rd1t1027.dat Object is locked skipped
C:\WINNT\system32\rdcp1027.cpl Object is locked skipped
C:\WINNT\system32\rddp1027.dat Object is locked skipped
C:\WINNT\system32\rddv1027.dll Object is locked skipped
C:\WINNT\system32\rmoc3260.dll Object is locked skipped
C:\WINNT\system32\RoseCo2.dll Object is locked skipped
C:\WINNT\system32\rosewaste.ico Object is locked skipped
C:\WINNT\system32\setb0.tmp Object is locked skipped
C:\WINNT\system32\setb1.tmp Object is locked skipped
C:\WINNT\system32\setb2.tmp Object is locked skipped
C:\WINNT\system32\sizelimit.ocx Object is locked skipped
C:\WINNT\system32\spmsg.dll Object is locked skipped
C:\WINNT\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp Object is locked skipped
C:\WINNT\system32\SpoonUninstall-dBpowerAMP Music Converter.dat Object is locked skipped
C:\WINNT\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.bmp Object is locked skipped
C:\WINNT\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat Object is locked skipped
C:\WINNT\system32\SpoonUninstall-dBpowerAMP WMA V8 Codec.bmp Object is locked skipped
C:\WINNT\system32\SpoonUninstall-dBpowerAMP WMA V8 Codec.dat Object is locked skipped
C:\WINNT\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.bmp Object is locked skipped
C:\WINNT\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat Object is locked skipped
C:\WINNT\system32\SpOrder.dll Object is locked skipped
C:\WINNT\system32\sstunst2.exe Object is locked skipped
C:\WINNT\system32\stera.job Object is locked skipped
C:\WINNT\system32\SupportBridge.WebLaunch.ocx Object is locked skipped
C:\WINNT\system32\tmp05FF8.FOT Object is locked skipped
C:\WINNT\system32\tmp0CFD4.FOT Object is locked skipped
C:\WINNT\system32\tmp0E51A.FOT Object is locked skipped
C:\WINNT\system32\tmp0EC6D.FOT Object is locked skipped
C:\WINNT\system32\tmp12A56.FOT Object is locked skipped
C:\WINNT\system32\tmp15AB2.FOT Object is locked skipped
C:\WINNT\system32\tmp17411.FOT Object is locked skipped
C:\WINNT\system32\tmp18CE5.FOT Object is locked skipped
C:\WINNT\system32\tmp1A15D.FOT Object is locked skipped
C:\WINNT\system32\tmp1AD89.FOT Object is locked skipped
C:\WINNT\system32\tmp1AF09.FOT Object is locked skipped
C:\WINNT\system32\tmp1EBD6.FOT Object is locked skipped
C:\WINNT\system32\tmp255A2.FOT Object is locked skipped
C:\WINNT\system32\tmp25612.FOT Object is locked skipped
C:\WINNT\system32\tmp28CE0.FOT Object is locked skipped
C:\WINNT\system32\tmp2FC0A.FOT Object is locked skipped
C:\WINNT\system32\tmp31165.FOT Object is locked skipped
C:\WINNT\system32\tmp34EC0.FOT Object is locked skipped
C:\WINNT\system32\tmp3D42C.FOT Object is locked skipped
C:\WINNT\system32\tmp3E349.FOT Object is locked skipped
C:\WINNT\system32\tmp3FC14.FOT Object is locked skipped
C:\WINNT\system32\tmp434DB.FOT Object is locked skipped
C:\WINNT\system32\tmp43F0A.FOT Object is locked skipped
C:\WINNT\system32\tmp46312.FOT Object is locked skipped
C:\WINNT\system32\tmp47576.FOT Object is locked skipped
C:\WINNT\system32\tmp4A21A.FOT Object is locked skipped
C:\WINNT\system32\tmp4B3E5.FOT Object is locked skipped
C:\WINNT\system32\tmp5263B.FOT Object is locked skipped
C:\WINNT\system32\tmp5735D.FOT Object is locked skipped
C:\WINNT\system32\tmp60BD6.FOT Object is locked skipped
C:\WINNT\system32\tmp629E8.FOT Object is locked skipped
C:\WINNT\system32\tmp62BBC.FOT Object is locked skipped
C:\WINNT\system32\tmp62BE8.FOT Object is locked skipped
C:\WINNT\system32\tmp63D34.FOT Object is locked skipped
C:\WINNT\system32\tmp6842E.FOT Object is locked skipped
C:\WINNT\system32\tmp699B2.FOT Object is locked skipped
C:\WINNT\system32\tmp6CF8A.FOT Object is locked skipped
C:\WINNT\system32\tmp6EB56.FOT Object is locked skipped
C:\WINNT\system32\tmp6FE07.FOT Object is locked skipped
C:\WINNT\system32\tmp721E4.FOT Object is locked skipped
C:\WINNT\system32\tmp727A2.FOT Object is locked skipped
C:\WINNT\system32\tmp75117.FOT Object is locked skipped
C:\WINNT\system32\tmp77E6D.FOT Object is locked skipped
C:\WINNT\system32\tmp7AB7F.FOT Object is locked skipped
C:\WINNT\system32\tmp7E11C.FOT Object is locked skipped
C:\WINNT\system32\tmp80EF8.FOT Object is locked skipped
C:\WINNT\system32\tmp8168D.FOT Object is locked skipped
C:\WINNT\system32\tmp84BE5.FOT Object is locked skipped
C:\WINNT\system32\tmp86929.FOT Object is locked skipped
C:\WINNT\system32\tmp8962C.FOT Object is locked skipped
C:\WINNT\system32\tmp8AC5A.FOT Object is locked skipped
C:\WINNT\system32\tmp968F5.FOT Object is locked skipped
C:\WINNT\system32\tmp9C95A.FOT Object is locked skipped
C:\WINNT\system32\tmp9F85A.FOT Object is locked skipped
C:\WINNT\system32\tmp9FE89.FOT Object is locked skipped
C:\WINNT\system32\tmpA6E14.FOT Object is locked skipped
C:\WINNT\system32\tmpB0EEC.FOT Object is locked skipped
C:\WINNT\system32\tmpBDCC0.FOT Object is locked skipped
C:\WINNT\system32\tmpBDD48.FOT Object is locked skipped
C:\WINNT\system32\tmpBEF58.FOT Object is locked skipped
C:\WINNT\system32\tmpBF0B3.FOT Object is locked skipped
C:\WINNT\system32\tmpBFCE8.FOT Object is locked skipped
C:\WINNT\system32\tmpBFE34.FOT Object is locked skipped
C:\WINNT\system32\tmpC2ABC.FOT Object is locked skipped
C:\WINNT\system32\tmpCB73B.FOT Object is locked skipped
C:\WINNT\system32\tmpCDAE0.FOT Object is locked skipped
C:\WINNT\system32\tmpD0058.FOT Object is locked skipped
C:\WINNT\system32\tmpD432E.FOT Object is locked skipped
C:\WINNT\system32\tmpD43B3.FOT Object is locked skipped
C:\WINNT\system32\tmpD6211.FOT Object is locked skipped
C:\WINNT\system32\tmpDB2DB.FOT Object is locked skipped
C:\WINNT\system32\tmpDFC58.FOT Object is locked skipped
C:\WINNT\system32\tmpE1249.FOT Object is locked skipped
C:\WINNT\system32\tmpE158D.FOT Object is locked skipped
C:\WINNT\system32\tmpE4F55.FOT Object is locked skipped
C:\WINNT\system32\tmpE7A7F.FOT Object is locked skipped
C:\WINNT\system32\tmpE7AE8.FOT Object is locked skipped
C:\WINNT\system32\tmpE7E8A.FOT Object is locked skipped
C:\WINNT\system32\tmpE9D09.FOT Object is locked skipped
C:\WINNT\system32\tmpEA915.FOT Object is locked skipped
C:\WINNT\system32\tmpF0AF5.FOT Object is locked skipped
C:\WINNT\system32\tmpF1676.FOT Object is locked skipped
C:\WINNT\system32\tmpF185A.FOT Object is locked skipped
C:\WINNT\system32\tmpF231C.FOT Object is locked skipped
C:\WINNT\system32\tmpF3C15.FOT Object is locked skipped
C:\WINNT\system32\tmpF4DEC.FOT Object is locked skipped
C:\WINNT\system32\tmpF74E5.FOT Object is locked skipped
C:\WINNT\system32\tmpFBA29.FOT Object is locked skipped
C:\WINNT\system32\vxblock.dll Object is locked skipped
C:\WINNT\system32\WBCustomizer.dll Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\WgaLogon.dll Object is locked skipped
C:\WINNT\system32\WgaTray.exe Object is locked skipped
C:\WINNT\system32\WINHTTP5.DLL Object is locked skipped
C:\WINNT\system32\wmpns.dll Object is locked skipped
C:\WINNT\Temp\$_2341233.TMP Object is locked skipped
C:\WINNT\Temp\$_2341234.TMP Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
E:\TEMP\ZLT04c3a.TMP Object is locked skipped
E:\TEMP\ZLT04c47.TMP Object is locked skipped
F:\Program Files\VNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
F:\Program Files\VNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
F:\Program Files\VNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
G:\DivX\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
G:\DivX\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
G:\DivX\DivXPro511Adware.exe NSIS: infected - 2 skipped
I:\WINDOWS\SYSTEM\Popular Screensavers.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe Object is locked skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.w skipped
I:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
I:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
I:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
I:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
I:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped
I:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
I:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
I:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
I:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
I:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

Scan process completed.
















Logfile of HijackThis v1.99.1
Scan saved at 6:21:00 PM, on 25/04/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WgaTray.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
G:\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\wuauclt.exe
C:\hijackthis\random.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Background Monitor.lnk = F:\Program Files\esm2\STMS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://italianstallion15chico.spaces.live....ad/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mab....2006.11.16.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857D} - http://beaserver.internal.customeroperatio...e.WebLaunch.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 26 April 2007 - 12:53 PM

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic


#7 belh

belh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 26 April 2007 - 01:59 PM

GMER 1.0.12.12244 - http://www.gmer.net
Autostart scan 2007-04-26 14:51:41
Windows 5.1.2600


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows =
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
SharedSection=1024,3072,512 Windows=On SubSystemType=Windows
ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit =
C:\WINNT\SYSTEM32\Userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
WgaLogon@DLLName = WgaLogon.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\System32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINNT\system32\ati2sgag.exe
Diskeeper /*Diskeeper*/@ = F:\Program Files\Executive
Software\DiskeeperWorkstation\DKService.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
McAfeeFramework /*McAfee Framework Service*/@ = C:\Program Files\Network
Associates\Common Framework\FrameworkService.exe /ServiceStart /*file not
found*/
McShield /*Network Associates McShield*/@ = "C:\Program Files\Network
Associates\VirusScan\mcshield.exe"
McTaskManager /*Network Associates Task Manager*/@ = "C:\Program
Files\Network Associates\VirusScan\vstskmgr.exe"
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINNT\System32\wdfmgr.exe
viaagp@ = System32\DRIVERS\viaagp1.sys /*file not found*/
vsmon /*TrueVector Internet Monitor*/@ =
C:\WINNT\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@Tweak UIRUNDLL32.EXE TWEAKUI.CPL,TweakMeUp = RUNDLL32.EXE
TWEAKUI.CPL,TweakMeUp
@NvCplDaemonRUNDLL32.EXE NvQTwk,NvCplDaemon initialize = RUNDLL32.EXE
NvQTwk,NvCplDaemon initialize
@LoadQMloadqm.exe = loadqm.exe
@NeroCheckC:\WINNT\system32\NeroCheck.exe = C:\WINNT\system32\NeroCheck.exe
@Logitech UtilityLogi_MwX.Exe = Logi_MwX.Exe
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe =
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@McAfeeUpdaterUI"C:\Program Files\Network Associates\Common
Framework\UpdaterUI.exe" /StartedFromRunKey = "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
@zBrowser LauncherF:\Program Files\Logitech\iTouch\iTouch.exe = F:\Program
Files\Logitech\iTouch\iTouch.exe
@QuickTime Task"F:\Program Files\QuickTime\qttask.exe" -atboottime =
"F:\Program Files\QuickTime\qttask.exe" -atboottime
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
@Zone Labs Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" =
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
@ShStatEXE"C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE"
/STANDALONE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE"
/STANDALONE
@Network Associates Error Reporting Service"C:\Program Files\Common
Files\Network Associates\TalkBack\tbmon.exe" = "C:\Program Files\Common
Files\Network Associates\TalkBack\tbmon.exe"
@SunJavaUpdateSched"F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" =
"F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
@iTunesHelper"G:\iTunes\iTunesHelper.exe" = "G:\iTunes\iTunesHelper.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MessengerPlus2"F:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
/*file not found*/ = "F:\Program Files\Messenger Plus! 2\MsgPlus.exe"
/WinStart /*file not found*/
@Yahoo! PagerF:\Program Files\Yahoo!\Messenger\ypager.exe -quiet /*file not
found*/ = F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet /*file not
found*/
@Uniblue Registry BoosterC:\Program Files\Registry
Booster\RegistryBooster.exe /S /*file not found*/ = C:\Program
Files\Registry Booster\RegistryBooster.exe /S /*file not found*/
@swgC:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe =
C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{3F9D0C61-737D-44D1-BD80-91AF857061CC}
=

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL
Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}
/*Thumbnails*/C:\WINNT\System32\thumbvw.dll /*file not found*/ =
C:\WINNT\System32\thumbvw.dll /*file not found*/
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail
Extractor*/C:\WINNT\System32\thumbvw.dll /*file not found*/ =
C:\WINNT\System32\thumbvw.dll /*file not found*/
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface
delegator*/(null) =
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/(null) =
@{E0D79304-84BE-11CE-9641-444553540000}
/*WinZip*/F:\PROGRA~1\WinZip\WZSHLSTB.DLL = F:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000}
/*WinZip*/F:\PROGRA~1\WinZip\WZSHLSTB.DLL = F:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000}
/*WinZip*/F:\PROGRA~1\WinZip\WZSHLSTB.DLL = F:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program
Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.02 Context Menu
Shell Extension*/F:\Program Files\WinAce\arcext.dll = F:\Program
Files\WinAce\arcext.dll
@{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.02 DragDrop
Shell Extension*/F:\Program Files\WinAce\arcext.dll = F:\Program
Files\WinAce\arcext.dll
@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.02 Context Menu
Shell Extension*/F:\Program Files\WinAce\arcext.dll = F:\Program
Files\WinAce\arcext.dll
@{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.02 Property
Sheet Shell Extension*/F:\Program Files\WinAce\arcext.dll = F:\Program
Files\WinAce\arcext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web
Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL =
C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon
Handler*/F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL =
F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon
Handler*/F:\Program Files\Microsoft Office\Office10\msohev.dll = F:\Program
Files\Microsoft Office\Office10\msohev.dll
@{c2c1d8a0-016a-11d1-a7fa-444553540000} /*Shell Extension Sample*/(null) =
@{f802f260-519b-11d1-bb5d-0060974c6013} /*ICQ Shell Extension*/(null) =
@{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD} /*CorelDRAW Shell Extension
Component*/F:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll
= F:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter
1*/f:\Program Files\Illustrate\dBpowerAMP\dBShell.dll = f:\Program
Files\Illustrate\dBpowerAMP\dBShell.dll
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music
Converter*/f:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll = f:\Program
Files\Illustrate\dBpowerAMP\dMCShell.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne
Player*/F:\Program Files\Real\RealPlayer\rpshell.dll = F:\Program
Files\Real\RealPlayer\rpshell.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
/*iTunes*/G:\iTunes\iTunesMiniPlayer.dll = G:\iTunes\iTunesMiniPlayer.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing
Folders*/C:\Program Files\MSN Messenger\fsshext.8.0.0792.00.dll = C:\Program
Files\MSN Messenger\fsshext.8.0.0792.00.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network
Associates\VirusScan\shext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program
Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} =
F:\PROGRA~1\WinZip\WZSHLSTB.DLL
ZFAdd@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = F:\Program
Files\WinAce\arcext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network
Associates\VirusScan\shext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program
Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} =
F:\PROGRA~1\WinZip\WZSHLSTB.DLL
ZFAdd@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = F:\Program
Files\WinAce\arcext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network
Associates\VirusScan\shext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program
Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} =
F:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}F:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll = F:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}F:\Program
Files\Java\jre1.5.0_11\bin\ssv.dll = F:\Program
Files\Java\jre1.5.0_11\bin\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program
files\google\googletoolbar4.dll = c:\program files\google\googletoolbar4.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
= http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
@Start
Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
=
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
@Local PageC:\WINNT\SYSTEM32\blank.htm = C:\WINNT\SYSTEM32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
= http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
@Local PageC:\WINNT\SYSTEM32\blank.htm = C:\WINNT\SYSTEM32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web
Folders\PKMCDO.DLL
dvd@CLSID = C:\WINNT\System32\msvidctl.dll
its@CLSID = C:\WINNT\System32\itss.dll
lid@CLSID = C:\WINNT\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINNT\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx
wia@CLSID = C:\WINNT\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = +s

C:\Documents and Settings\matt\Start Menu\Programs\Startup = Adobe Gamma.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
EPSON Background Monitor.lnk = EPSON Background Monitor.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.12 ----

Edited by belh, 26 April 2007 - 02:29 PM.


#8 belh

belh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 26 April 2007 - 02:02 PM

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-26 14:49:13
Windows 5.1.2600


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys



ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys



ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys



ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys



ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys



ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys



ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys



ZwCreateSection
SSDT 819D5109



ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys




ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys



ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys



ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys



ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys



ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys



ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys



ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys



ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys



ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys



ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys




ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys



ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys




ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys




ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys



ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys




ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

? srescan.sys



The system cannot
find the file specified.

---- User code sections - GMER 1.0.12 ----

..text C:\WINNT\explorer.exe[144] kernel32.dll!VirtualProtectEx



77E8B0A3 5 Bytes
JMP 3700737C C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] kernel32.dll!VirtualProtect



77E8B461 5 Bytes
JMP 3700733E C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] kernel32.dll!GetProcAddress



77E8D2D3 5 Bytes
JMP 370074B2 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] kernel32.dll!LoadLibraryA



77E8DF64 5 Bytes
JMP 370074F0 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] kernel32.dll!PeekNamedPipe



77E8E2F7 5 Bytes
JMP 370073BA C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] kernel32.dll!CreatePipe



77E90F98 5 Bytes
JMP 370073F8 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] kernel32.dll!GetStartupInfoA



77E9185C 5 Bytes
JMP 37007436 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] kernel32.dll!WinExec



77E95A1B 5 Bytes
JMP 37007474 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] ADVAPI32.dll!RegOpenKeyA



77DD5ECC 5 Bytes
JMP 3700752E C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] WS2_32.dll!select



71AB1890 5 Bytes
JMP 37007626 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] WS2_32.dll!send



71AB1AF4 5 Bytes
JMP 370075AA C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] WS2_32.dll!socket



71AB3C22 5 Bytes
JMP 3700756C C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] WS2_32.dll!bind



71AB3ECE 5 Bytes
JMP 370075E8 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] WS2_32.dll!recv



71AB5690 5 Bytes
JMP 37007664 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] WININET.dll!InternetReadFile



6301469B 5 Bytes
JMP 3700779A C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] WININET.dll!InternetOpenA



63018E63 5 Bytes
JMP 37007816 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\explorer.exe[144] WININET.dll!InternetOpenUrlA



6302055B 5 Bytes
JMP 370077D8 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\winlogon.exe[548] ADVAPI32.dll!CryptDestroyKey



77DE0AF0 7 Bytes
JMP 100027E2 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] ADVAPI32.dll!CryptImportKey



77DE0BB2 7 Bytes
JMP 100026BD c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] ADVAPI32.dll!CryptDecrypt



77DE18B1 7 Bytes
JMP 1000275C c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] ADVAPI32.dll!CryptDeriveKey



77DE1961 7 Bytes
JMP 10002660 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] ADVAPI32.dll!CryptEncrypt



77DE1A78 7 Bytes
JMP 100026F1 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] ADVAPI32.dll!CryptGetUserKey



77DE264D 7 Bytes
JMP 10002693 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] ADVAPI32.dll!CryptGenKey



77E0D0A5 7 Bytes
JMP 10002630 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] WS2_32.dll!WSARecv



71AB19A0 5 Bytes
JMP 100024DD c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] WS2_32.dll!closesocket



71AB1A6D 14 Bytes
JMP 10002598 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] WS2_32.dll!send



71AB1AF4 6 Bytes
JMP 10002334 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] WS2_32.dll!connect



71AB3E5D 6 Bytes
JMP 1000227F c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] WS2_32.dll!recv



71AB5690 6 Bytes
JMP 100023AB c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\winlogon.exe[548] WS2_32.dll!WSASend



71AB5722 5 Bytes
JMP 10002422 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\services.exe[592] kernel32.dll!VirtualProtectEx



77E8B0A3 5 Bytes
JMP 3700737C C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] kernel32.dll!VirtualProtect



77E8B461 5 Bytes
JMP 3700733E C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] kernel32.dll!GetProcAddress



77E8D2D3 5 Bytes
JMP 370074B2 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] kernel32.dll!LoadLibraryA



77E8DF64 5 Bytes
JMP 370074F0 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] kernel32.dll!PeekNamedPipe



77E8E2F7 5 Bytes
JMP 370073BA C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] kernel32.dll!CreatePipe



77E90F98 5 Bytes
JMP 370073F8 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] kernel32.dll!GetStartupInfoA



77E9185C 5 Bytes
JMP 37007436 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] kernel32.dll!WinExec



77E95A1B 5 Bytes
JMP 37007474 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyA



77DD5ECC 5 Bytes
JMP 3700752E C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] WS2_32.dll!select



71AB1890 5 Bytes
JMP 37007626 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] WS2_32.dll!send



71AB1AF4 5 Bytes
JMP 370075AA C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] WS2_32.dll!socket



71AB3C22 5 Bytes
JMP 3700756C C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] WS2_32.dll!bind



71AB3ECE 5 Bytes
JMP 370075E8 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] WS2_32.dll!recv



71AB5690 5 Bytes
JMP 37007664 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] WININET.dll!InternetReadFile



6301469B 5 Bytes
JMP 3700779A C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] WININET.dll!InternetOpenA



63018E63 5 Bytes
JMP 37007816 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\services.exe[592] WININET.dll!InternetOpenUrlA



6302055B 5 Bytes
JMP 370077D8 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] kernel32.dll!VirtualProtectEx



77E8B0A3 5 Bytes
JMP 3700737C C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] kernel32.dll!VirtualProtect



77E8B461 5 Bytes
JMP 3700733E C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] kernel32.dll!GetProcAddress



77E8D2D3 5 Bytes
JMP 370074B2 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] kernel32.dll!LoadLibraryA



77E8DF64 5 Bytes
JMP 370074F0 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] kernel32.dll!PeekNamedPipe



77E8E2F7 5 Bytes
JMP 370073BA C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] kernel32.dll!CreatePipe



77E90F98 5 Bytes
JMP 370073F8 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] kernel32.dll!GetStartupInfoA



77E9185C 5 Bytes
JMP 37007436 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] kernel32.dll!WinExec



77E95A1B 5 Bytes
JMP 37007474 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] ADVAPI32.dll!RegOpenKeyA



77DD5ECC 5 Bytes
JMP 3700752E C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] WS2_32.dll!select



71AB1890 5 Bytes
JMP 37007626 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] WS2_32.dll!send



71AB1AF4 5 Bytes
JMP 370075AA C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] WS2_32.dll!socket



71AB3C22 5 Bytes
JMP 3700756C C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] WS2_32.dll!bind



71AB3ECE 5 Bytes
JMP 370075E8 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] WS2_32.dll!recv



71AB5690 5 Bytes
JMP 37007664 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] WININET.dll!InternetReadFile



6301469B 5 Bytes
JMP 3700779A C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] WININET.dll!InternetOpenA



63018E63 5 Bytes
JMP 37007816 C:\WINNT\System32\EntApi.dll
..text C:\WINNT\system32\lsass.exe[604] WININET.dll!InternetOpenUrlA



6302055B 5 Bytes
JMP 370077D8 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
kernel32.dll!VirtualProtectEx



77E8B0A3 5 Bytes JMP 3700737C C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
kernel32.dll!VirtualProtect



77E8B461 5 Bytes JMP 3700733E C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
kernel32.dll!GetProcAddress



77E8D2D3 5 Bytes JMP 370074B2 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
kernel32.dll!LoadLibraryA



77E8DF64 5 Bytes JMP 370074F0 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
kernel32.dll!PeekNamedPipe



77E8E2F7 5 Bytes JMP 370073BA C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
kernel32.dll!CreatePipe



77E90F98 5 Bytes JMP 370073F8 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
kernel32.dll!GetStartupInfoA



77E9185C 5 Bytes JMP 37007436 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
kernel32.dll!WinExec



77E95A1B 5 Bytes JMP 37007474 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
ADVAPI32.dll!RegOpenKeyA



77DD5ECC 5 Bytes JMP 3700752E C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
ADVAPI32.dll!CryptDestroyKey



77DE0AF0 7 Bytes JMP 025B27E2 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
ADVAPI32.dll!CryptImportKey



77DE0BB2 7 Bytes JMP 025B26BD c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
ADVAPI32.dll!CryptDecrypt



77DE18B1 7 Bytes JMP 025B275C c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
ADVAPI32.dll!CryptDeriveKey



77DE1961 7 Bytes JMP 025B2660 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
ADVAPI32.dll!CryptEncrypt



77DE1A78 7 Bytes JMP 025B26F1 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
ADVAPI32.dll!CryptGetUserKey



77DE264D 7 Bytes JMP 025B2693 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
ADVAPI32.dll!CryptGenKey



77E0D0A5 7 Bytes JMP 025B2630 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WS2_32.dll!select



71AB1890 5 Bytes JMP 37007626 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652] WS2_32.dll!send



71AB1AF4 5 Bytes
JMP 370075AA C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WS2_32.dll!socket



71AB3C22 5 Bytes JMP 3700756C C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652] WS2_32.dll!bind



71AB3ECE 5 Bytes
JMP 370075E8 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652] WS2_32.dll!recv



71AB5690 5 Bytes
JMP 37007664 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!InternetCloseHandle



63007DCB 5 Bytes JMP 025B3455 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!HttpSendRequestA



6300CF78 5 Bytes JMP 025B32A8 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!HttpOpenRequestA



6300D491 6 Bytes JMP 025B2F0D c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!InternetConnectA



6300D836 5 Bytes JMP 025B289B c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!InternetReadFile



6301469B 2 Bytes JMP 025B3363 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!InternetReadFile + 3



6301469E 3 Bytes [ 59, 9F, CC ]
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!InternetOpenA



63018E63 5 Bytes JMP 37007816 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!InternetOpenUrlA



6302055B 5 Bytes JMP 370077D8 C:\WINNT\System32\EntApi.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
WININET.dll!HttpSendRequestW



63056FF9 6 Bytes JMP 025B4D65 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
CRYPT32.dll!CertVerifyCertificateChainPolicy



762E1B72 5 Bytes JMP 025B4808 c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\Program Files\Internet Explorer\IEXPLORE.EXE[652]
CRYPT32.dll!CertGetCertificateChain



76321BD3 7 Bytes JMP 025B47FF c:\program files\common files\microsoft
shared\web folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] ADVAPI32.dll!CryptDestroyKey



77DE0AF0 7 Bytes
JMP 100027E2 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] ADVAPI32.dll!CryptImportKey



77DE0BB2 7 Bytes
JMP 100026BD c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] ADVAPI32.dll!CryptDecrypt



77DE18B1 7 Bytes
JMP 1000275C c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] ADVAPI32.dll!CryptDeriveKey



77DE1961 7 Bytes
JMP 10002660 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] ADVAPI32.dll!CryptEncrypt



77DE1A78 7 Bytes
JMP 100026F1 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] ADVAPI32.dll!CryptGetUserKey



77DE264D 7 Bytes
JMP 10002693 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] ADVAPI32.dll!CryptGenKey



77E0D0A5 7 Bytes
JMP 10002630 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] WS2_32.dll!WSARecv



71AB19A0 5 Bytes
JMP 100024DD c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] WS2_32.dll!closesocket



71AB1A6D 14 Bytes
JMP 10002598 c:\program files\common files\microsoft shared\web
folders\ibm00002.dll
..text C:\WINNT\system32\ati2evxx.exe[768] WS2_32.dll!send

Edited by belh, 26 April 2007 - 02:32 PM.


#9 belh

belh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 26 April 2007 - 02:04 PM

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL



[EDBCEA80]
vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP



[EDBCEA80]
vsdatant.sys


---- EOF - GMER 1.0.12 ----

Edited by belh, 26 April 2007 - 07:57 PM.


#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 26 April 2007 - 04:05 PM

  • You have word wrap turned on, this is making your logs difficult to read
  • Run notepad
  • Goto Format and untick Word Wrap
Run GMER again and post the logs

#11 belh

belh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 26 April 2007 - 04:19 PM

It wasn't checked when I opened notepad?

edit- The reply box changes the format automatically

Attached Files


Edited by belh, 26 April 2007 - 04:35 PM.


#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 26 April 2007 - 04:35 PM

upload the logs here

#13 belh

belh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 26 April 2007 - 04:40 PM

K, I think the format probably changed when I sent them to my laptop (since explorer wasn't letting me edit my posts on the actual computer). I'll upload them once more on that one :thumbsup:

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 27 April 2007 - 04:22 PM

  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver to load
  • If it warns you about rootkit activity and asks if you want to run scan, click NO
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the CMD tab
  • Make sure CMD.EXE not REGEDIT.EXE is selected
  • Copy and paste the contents of the below codebox into the the top box
    gmer.exe -del file "c:\program files\common files\microsoft shared\web folders\ibm00002.dll"
  • Click run
  • Copy and paste the contents of the box marked log as a reply to this topic
Restart

Rerun GMER and post the logs, along with a new HijackThis log

#15 belh

belh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 27 April 2007 - 05:02 PM

Command was successfully executed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users