Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried To Remove Smitfraud-c Infection, But Comp Still Not Not Working Properly


  • Please log in to reply
27 replies to this topic

#1 Bengy909

Bengy909

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 03 May 2007 - 11:28 AM

Hello, any help on this would be great. I apologize if I sound completely computer illiterate...

My computer has been acting up for at least a month now with various problems: freezing and restarting at random, Internet webpages not loading even though I'm connected to the internet, etc.

Last week it got even worse - I would no longer start up in Normal Mode. It just freezes up when loading Windows XP. The only way it works is if I unplug it and boot into Safe Mode.

I ran SpyBot S&D (both on Normal Mode when it was still working and on Safe Mode when it no longer booted into Normal Mode) and it found several infections(?), all of which were fixed except for this evil evil thing called Smitfraud-c. Listed as:

c:\WINDOWS\system32\rpcc.dll

I found some instructions on a different website (using my roomate's computer) and followed them. They told me to do the following:

1. Boot to Windows Safe Mode
2. Run HijackThis
3. Click "open the Misc Tools section", then "Delete a file in reboot...", select the dll file that SpyBotyb has been complaining about and close HijackThis.
4. Reboot Windows to Normal Mode
5. Run SpyBot S&D. It will again detect smitfraud-c, but this time around it will be able to remove it.

I followed all the instructions except that I had to do the last step (step#5) on Safe Mode because the computer continued to freeze while loading Windows XP on Normal Mode.

SpyBot did indeed find the smitfraud file and was able to delete it. However, I am still unable to boot the computer into Normal Mode (same problem as before - it continues to freeze up).

I went back to Safe Mode and ran HijackThis once again. I would really appreciate if someone could look at the log and help fix any additional problems. Thanks.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:03:06 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vtmesys] seclbwbd.exe
O4 - HKLM\..\Run: [tymsetvc] C:\WINDOWS\system32\osskhbd.exe
O4 - HKLM\..\Run: [cvmsyslpd] C:\WINDOWS\system32\sdservss.exe
O4 - HKLM\..\Run: [winsplog] C:\WINDOWS\system32\wsmmlog.exe
O4 - HKLM\..\Run: [p2snetis] C:\WINDOWS\system32\umcefomk.exe
O4 - HKLM\..\Run: [dpmdllep] C:\WINDOWS\system32\umcefomk.exe
O4 - HKLM\..\Run: [dstiosys] C:\WINDOWS\system32\plsitctl.exe
O4 - HKLM\..\Run: [sacmemds] C:\WINDOWS\system32\smcntlwio.exe
O4 - HKLM\..\Run: [vbmsession] C:\WINDOWS\system32\umcefomk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [autolemd] drvpqimf.exe
O4 - HKLM\..\Run: [statlcmi] C:\WINDOWS\system32\umcefomk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qyohd.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: pngfmsne - C:\WINDOWS\system32\pngfmsne.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wmadmsst - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

If you need, I also saved the log from the first time I ran HijackThis.
Thanks. Hope someone can help!

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:22 AM

Posted 03 May 2007 - 08:10 PM

First, make sure HijackThis is run from its own folder. This will ensure we have back ups made, and they are kept securely. Backups allow the restoring of fixed entries when necessary.

On the Desktop, right click an empty area, select New > Folder, and name the folder Hijack This. place the HijackThis.exe file in it, and then run the program from its own folder from now on...

~~~~
Looks a if you don't use an AntiVirus scanner or your scanner is not active!!
Big mistake!!

~~~~
Let’s take care of some of the malware first, and then take further actions.

The HijackThis log shows a malicious .dll file (qyohd.dll) disrupting the Layered Service Provider (LSP) chain on your computer, and we need to get rid of it.

Start the computer in Safe Mode with Networking:
-When the machine first starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode with Networking using the arrow keys.
-Press Enter to boot into Safe Mode with Networking

Next, please download LSPFix:
http://www.bleepingcomputer.com/files/lspfix.php
Place it in its own folder.
-Unzip and run LSPFix
-Disconnect from the Internet and close all Internet Explorer Windows
-Check: I know what I'm doing
-Select all traces of: qyohd.dll on the left window
-Click the right-pointing arrows and move all instances of qyohd.dll from the Keep to the Remove panel.
Be sure to move nothing other than qyohd.dll!
-Click: Finished for the program to remove references to the file and restore the LSP chain.

~~~
Now, run HijackThis, Scan
Check box for:

O4 - HKLM\..\Run: [vtmesys] seclbwbd.exe
O4 - HKLM\..\Run: [tymsetvc] C:\WINDOWS\system32\osskhbd.exe
O4 - HKLM\..\Run: [cvmsyslpd] C:\WINDOWS\system32\sdservss.exe
O4 - HKLM\..\Run: [winsplog] C:\WINDOWS\system32\wsmmlog.exe
O4 - HKLM\..\Run: [p2snetis] C:\WINDOWS\system32\umcefomk.exe
O4 - HKLM\..\Run: [dpmdllep] C:\WINDOWS\system32\umcefomk.exe
O4 - HKLM\..\Run: [dstiosys] C:\WINDOWS\system32\plsitctl.exe
O4 - HKLM\..\Run: [sacmemds] C:\WINDOWS\system32\smcntlwio.exe
O4 - HKLM\..\Run: [vbmsession] C:\WINDOWS\system32\umcefomk.exe
O4 - HKLM\..\Run: [autolemd] drvpqimf.exe
O4 - HKLM\..\Run: [statlcmi] C:\WINDOWS\system32\umcefomk.exe

O20 - Winlogon Notify: pngfmsne - C:\WINDOWS\system32\pngfmsne.dll (file missing)
O20 - Winlogon Notify: wmadmsst - C:\WINDOWS\


Select: Fix checked

~~~~
Next, enable the viewing of Hidden Files and Folders as follows:
-At your Desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

~~~~
Search for and remove the following files (bold):
C:\Windows\system32\qyohd.dll
C:\WINDOWS\system32\seclbwbd.exe
C:\WINDOWS\system32\osskhbd.exe
C:\WINDOWS\system32\sdservss.exe
C:\WINDOWS\system32\wsmmlog.exe
C:\WINDOWS\system32\plsitctl.exe
C:\WINDOWS\system32\smcntlwio.exe
C:\WINDOWS\system32\umcefomk.exe
C:\WINDOWS\system32\drvpqimf.exe

~~~~
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click: Delete Files
When prompted, check: Delete all offline content
You can also check: Delete Cookies
(You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...

~~~~
Restart the computer in normal Windows, if possible. If not, go back to Safe Mode with Networking.

~~~~
Download SuperAntiSpyware Home Edition Free Version
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log to post in your reply, as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

~~~~
Run HijackThis once again, and Scan.

~~~~
Please provide the following in your reply:
The SuperAntiSpyware log
A new HijackThis log

Old duck...


#3 Bengy909

Bengy909
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 04 May 2007 - 10:01 AM

First off... thank you, thank you, thank you, thank you, thank you, thank you...

I purchased the McAfee Internet Security Suite - I should be getting it in the mail next week. Does that also work as an anti-virus scanner?

I followed your instructions last night and finally got into Normal Mode. However, the internet there only worked for a brief amount of time. It's still not working this morning. It keeps saying that "Internet Explorer Cannot Open Search Page."

Another issue that came up last night was when I went to manually delete the qyohd.dll file in its folder. It wouldn't let me and a window kept popping up with the following message:

"Error deleting file or folder. Cannot delete qyohd: Access is denied. Make sure the disk is not full or write-protected and that the file is currently not in use."

I deleted the other files and continued following your instructions. At one point I went back to try to remove the qyohd.dll file again, but it was no longer there. I'm not sure if this observation is relevant or not, but I thought I should mention it just in case.

Last but not least, here are the logs you asked to see:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/04/2007 at 01:13 AM

Application Version : 3.7.1018

Core Rules Database Version : 3231
Trace Rules Database Version: 1242

Scan type : Complete Scan
Total Scan Time : 01:02:40

Memory items scanned : 493
Memory threats detected : 2
Registry items scanned : 5270
Registry threats detected : 0
File items scanned : 34990
File threats detected : 29

Trojan.Downloader-MSNETAX
C:\WINDOWS\SYSTEM32\TEEAUACNTIL.DLL
C:\WINDOWS\SYSTEM32\TEEAUACNTIL.DLL
C:\WINDOWS\SYSTEM32\QYOHD.DLL

Trojan.Spam-RUCrzy
C:\CP1041.NLS
C:\CP1041.NLS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP456\A0022513.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Lea Esther Benguigui\Cookies\lea esther benguigui@ads.pointroll[2].txt
C:\Documents and Settings\Lea Esther Benguigui\Cookies\lea esther benguigui@edge.ru4[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Cookies\lea esther benguigui@atwola[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Cookies\lea esther benguigui@2o7[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@2o7[2].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@ads.web.aol[2].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@anad.tacoda[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@atwola[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@burstnet[2].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@dealnews.122.2o7[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@edge.ru4[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@msnportal.112.2o7[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@msnservices.112.2o7[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@overture[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@pt.crossmediaservices[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@revsci[2].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@tacoda[2].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@tribalfusion[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@vitacost.122.2o7[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@www.burstbeacon[2].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@www.burstnet[2].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@www.smartadserver[1].txt
C:\Documents and Settings\Lea Esther Benguigui\Local Settings\Temp\Cookies\lea esther benguigui@xiti[1].txt
C:\WINDOWS\Temp\Cookies\lea esther benguigui@counter_20070125a[1].txt

Trojan.Rustock/LZX32
C:\WINDOWS\system32:lzx32.sys



Logfile of HijackThis v1.99.1
Scan saved at 6:40:44 AM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\aol\1146108193\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Documents and Settings\Lea Esther Benguigui\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\teeauacntil.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Once again, thank you so much!

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:22 AM

Posted 04 May 2007 - 11:55 AM

Thank you for your patience, and performing the procedures requested! :thumbsup:

Please use LSPFix once again, and this time follow the same routine to get rid of: teeauacntil.dll

~~~~
Next, download RustBFix by ejvindh:
http://www.uploads.ejvindh.net/rustbfix.exe
Save it to the Desktop.

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you are asked to reboot the computer.
The reboot will probably take a while, and perhaps 2 reboots will be needed, but this will happen automatically.

After the reboot(s) 2 logfiles open: Avenger.txt and a Pelog.txt
You will need to post these in your reply.

~~~~
Also download SDFix and save it to the Desktop.

Right click the SDFix.zip folder
Select: Extract All to extract it to its own folder on the Desktop.

~~~~
Start the computer in Safe Mode :
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

Press any key to restart the PC.
When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

~~~~
Next, download ComboFix (by sUBs):
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running!!

When finished, it produces a log: combofix.txt

~~~~
Run HijackThis once again, and Scan.

~~~~
Please provide the following:
The contents of the RustBFix Avenger.txt and a Pelog.txt
The SDFix Report.txt
The ComboFix.txt
A new HijackThis log

Old duck...


#5 Bengy909

Bengy909
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 04 May 2007 - 06:46 PM

Hi, thank you soooooooooooooooooooooo much once again!

Here are the logs you asked for (except for the Pelog.txt which I cannot find!):

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gmrlmywu

*******************

Script file located at: \??\C:\urqufceu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gmrlmywu

*******************

Script file located at: \??\C:\urqufceu.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gmrlmywu

*******************

Script file located at: \??\C:\urqufceu.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!


SDFix: Version 1.82

Run by Lea Esther Benguigui - Fri 05/04/2007 - 18:53:59.70

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\LEAEST~1\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
ntldr.sys

ImagePath:
\??\C:\ntldr.sys

ntldr.sys - Deleted


ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\WINDOWS\system32\C.tmp - Deleted
C:\WINDOWS\system32\16B.tmp - Deleted
C:\WINDOWS\wpcjmd.log - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"="C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe:*:Disabled:tgcmd Module"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza Ultimate File Sharing"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1146108193\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1146108193\\EE\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\umcefomk.exe"="C:\\WINDOWS\\system32\\umcefomk.exe:*:Enabled:Server"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\system32\\umcefomk.exe"="C:\\WINDOWS\\system32\\umcefomk.exe:*:Enabled:Server"


Remaining Files:
---------------
C:\WINDOWS\SYSTEM32\ANAPUN~1.DLL Found - Check LSP chain!

Backups Folder: - C:\DOCUME~1\LEAEST~1\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\BitComet\Downloads\2006-09-03_fri_argentina-brazil_full_highlights_fbtz.com-zlatan\Thumbs.db
C:\WINDOWS\system32\appprf32.dll
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\America Online 9.0\AOLphx.exe
C:\Program Files\America Online 9.0\rbm.exe
C:\WINDOWS\system32\ialssrgc.exe

Finished



"Lea Esther Benguigui" - 07-05-04 19:29:42 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Lea Esther Benguigui\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-04 18:46 21,504 --a------ C:\WINDOWS\system32\anapunkidopli.dll
2007-05-04 18:08 <DIR> d-------- C:\avenger
2007-05-04 17:56 16 --a------ C:\chdir.bat
2007-05-04 17:56 <DIR> d-------- C:\Rustbfix
2007-05-04 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-04 00:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-04 00:07 <DIR> d-------- C:\DOCUME~1\LEAEST~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 06:59 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-03 06:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-02 00:20 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-02 00:07 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-29 20:16 75,302 --a------ C:\WINDOWS\rtfybgtrvfcgtr.exe
2007-04-27 06:44 <DIR> d-------- C:\{000044D6-0000-0000-4B6F-CC2FCB353A92}
2007-04-27 04:13 0 --a------ C:\WINDOWS\tgrftgrf.exe
2007-04-27 03:50 15,360 --a------ C:\WINDOWS\system32\nvstatld.dll
2007-04-26 23:59 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-04-26 23:49 89,730 --a------ C:\WINDOWS\system32\pngfmsne.exe
2007-04-26 23:43 72,957 --a------ C:\WINDOWS\nybtyhrtg.exe
2007-04-26 23:43 72,844 --a------ C:\WINDOWS\esgfsefrf.exe
2007-04-26 23:43 44,804 --a------ C:\WINDOWS\ntyrebgrtvfcd.exe
2007-04-26 07:12 71,420 --a------ C:\WINDOWS\wrefergghtr.exe
2007-04-26 07:12 71,004 --a------ C:\WINDOWS\cxbrtewfgtre.exe
2007-04-25 20:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-23 05:26 82,432 --a------ C:\WINDOWS\ins32.exe
2007-04-19 00:34 16 --a------ C:\WINDOWS\hpsys.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-29 08:56 -------- d-------- C:\Program Files\america online 9.0
2007-04-26 07:12 4 --a------ C:\WINDOWS\system32\pngfmsne.dat
2007-04-18 02:15 -------- d-------- C:\Program Files\messenger
2007-03-29 02:27 0 --a------ C:\WINDOWS\x0h7bh.reg
2007-03-27 08:33 -------- d-------- C:\Program Files\itunes
2007-03-27 08:32 -------- d-------- C:\Program Files\ipod
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-15 04:55 0 --a------ C:\WINDOWS\adc.dat
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 23:37 -------- d-------- C:\Program Files\quicktime
2007-03-05 23:33 -------- d-------- C:\Program Files\apple software update
2007-03-05 15:22 51 --a------ C:\WINDOWS\fwall32.exe
2007-02-27 07:53 0 --a------ C:\WINDOWS\odfvf.dat
2007-02-22 22:49 16 --a------ C:\WINDOWS\npad32.dat
2007-02-20 18:30 0 --a------ C:\WINDOWS\np8dbq.exe
2007-02-13 23:29 16 --a------ C:\WINDOWS\sqhos32.dat
2007-02-13 02:14 186880 --a------ C:\WINDOWS\vdisk.exe
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"ZTgServerSwitch"="c:\\program files\\support.com\\client\\lserver\\server.vbs"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"CreateCD_Reminder"="C:\\WINDOWS\\Sonysys\\VAIO Recovery\\reminder.exe"
"VAIO Recovery"="C:\\Windows\\Sonysys\\VAIO Recovery\\PartSeal.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146108193\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04b\\BrStDvPt.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7F76815-E647-4BCE-B21A-600CE626E5D8}"="System Registry Hook"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 19:32:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-04 19:32:09
C:\ComboFix-quarantined-files.txt ... 07-05-04 19:32


Logfile of HijackThis v1.99.1
Scan saved at 7:38:40 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
c:\program files\common files\aol\1146108193\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Documents and Settings\Lea Esther Benguigui\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I've been raving about you guys to my friends, family, co-workers, strangers on the subway - just about anyone I come in contact with! Thank you so much for helping the helpless!

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:22 AM

Posted 04 May 2007 - 08:52 PM

We are not out of the woods yet!! The HijackThis log looks OK, however, there are some strange files in that ComboFix log…

~~~~
Please launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue REGEDIT below to it:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\umcefomk.exe"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\umcefomk.exe"=-


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: delete.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes

~~~~
Next, download The Avenger by Swandog46 to the Desktop.
Click on Avenger.zip to open the file
Then, extract avenger.exe to the Desktop

Copy all the blue text below by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\system32\umcefomk.exe
C:\WINDOWS\system32\anapunkidopli.dll
C:\WINDOWS\system32\ialssrgc.exe
C:\WINDOWS\rtfybgtrvfcgtr.exe
C:\WINDOWS\tgrftgrf.exe
C:\WINDOWS\system32\nvstatld.dll
C:\WINDOWS\system32\pngfmsne.exe
C:\WINDOWS\nybtyhrtg.exe
C:\WINDOWS\esgfsefrf.exe
C:\WINDOWS\ntyrebgrtvfcd.exe
C:\WINDOWS\wrefergghtr.exe
C:\WINDOWS\cxbrtewfgtre.exe
C:\WINDOWS\x0h7bh.reg
C:\WINDOWS\fwall32.exe
C:\WINDOWS\odfvf.dat
C:\WINDOWS\npad32.dat
C:\WINDOWS\np8dbq.exe
C:\WINDOWS\sqhos32.dat


Folders to delete:
C:\{000044D6-0000-0000-4B6F-CC2FCB353A92}


Start The Avenger program by clicking on its icon on the Desktop.
Under: Script file to execute, select: Input Script Manually
Now click on the Magnifying Glass icon
It opens a new window titled: View/edit script
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done

Now click on the Green Light to begin the execution of the script
Answer Yes twice when prompted.

The Avenger will automatically do the following:
Restart the computer.
On reboot, it will briefly open a black command window on the Desktop, and this is normal.

After the restart, it creates a log file that opens with the results of Avenger’s actions.
This log file will be located at C:\avenger.txt

~~~~
Please download Dr.Web CureIt to the Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Do not use it yet.

~~~~
Start the computer in Safe Mode :
-When the machine starts again, just before the Windows icon appears, tap the F8 key
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the keyboard arrow keys.
-Press Enter to boot into Safe Mode.
-Select your usual account

~~~~
Double-click the drweb-cureit.exe file and allow the express scan to run
  • A short scan checks the files currently running in memory
  • If something is found, click the yes button when asked if you want to cure it.
  • Once the short scan has finished, Select Object for Scanning appears at the bottom.
  • Mark the drives to scan by clicking on each drive.
    (Select all drives. A red dot shows which drives have been chosen.)
  • Click the green arrow at the right, and the scan starts.
  • Click 'Yes to all' if asked to cure/move any files.
  • When the scan is finished, click the first icon to the left of Object: Posted Image
  • Then click the next icon right below and select Move Incurable as you'll see in next image:
    Posted Image
    This moves a file to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
  • Next, in the Dr.Web CureIt menu on top, click File and choose Save report list
  • Save the report to the Desktop. The report is called DrWeb.csv
  • Close Dr.Web Cureit.
  • Next, reboot the computer!! (Files in use are moved/deleted during reboot.)
~~~~
Run ComboFix once again.

~~~~
Please post the contents of the Dr.Web CureIt log, the C:\avenger.txt , and a new ComboFix.txt.

Old duck...


#7 Bengy909

Bengy909
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 06 May 2007 - 06:33 AM

Hi - I'm finishing up the scans you asked me to do...

In the meantime, I wanted to ask you about a certain error message that pops up everytime my computer is restarted. It reads:

"Windows Defender
Application failed to initialize: 0x800106ba. A problem caused Windows Defender Service to stop. To start the service, restart you computer or search Help and Support on how to start a service manually."

Needless to say, I have restarted the computer numerous times and it still keeps coming back. I also went to Help and Support, but no luck there either.

I meant to post about this before, but that darn little message has been popping up for the longest time now that I have come to think of it as part of the startup process... how sad...

Thanks!

Edited by Bengy909, 06 May 2007 - 07:17 AM.


#8 Bengy909

Bengy909
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 06 May 2007 - 07:28 AM

Hi Aaflac,

Here are the logs you asked for:

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
HPFix.reg;C:\Documents and Settings\Lea Esther Benguigui\Desktop\SDFix\apps;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\Documents and Settings\Lea Esther Benguigui\Desktop\SDFix\apps;Tool.Prockill;Incurable.Moved.;
aolsetup.exe;C:\Program Files\AIM6\services\softwareUpdate\ver2_13_13_7;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite;Probably BACKDOOR.Trojan;Incurable.Moved.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
ycomp4 0 2 2.dll;C:\Program Files\Yahoo!\Installs;Probably DLOADER.Trojan;Incurable.Moved.;
A0018586.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP428;Win32.HLLM.Limar;Deleted.;
A0018612.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP428;Win32.HLLM.Limar;Deleted.;
A0018886.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP431;Win32.HLLM.Limar;Deleted.;
A0019421.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP441;Win32.HLLM.Limar;Deleted.;
A0019422.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP441;Win32.HLLM.Limar;Deleted.;
A0021137.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP451;Win32.HLLM.Limar;Deleted.;
A0021138.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP451;Win32.HLLM.Limar;Deleted.;
A0022207.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP454;Win32.HLLM.Limar;Deleted.;
A0034977.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP460;BackDoor.Mailbot;Deleted.;
A0035031.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP461;BackDoor.Mailbot;Deleted.;
A0056197.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP461;BackDoor.IRC.Sdbot.1337;Deleted.;
A0056198.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP461;BackDoor.Mailbot;Deleted.;
A0057229.dll;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP462;Trojan.Vqten;Deleted.;
A0057237.dll;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP462;Trojan.Vqten;Deleted.;
A0057516.sys;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP464;Trojan.Spambot;Deleted.;
A0057523.sys;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP464;Trojan.Spambot;Deleted.;
A0057624.dll;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP464;Trojan.Vqten;Deleted.;
A0057626.exe;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP464;BackDoor.Mailbot;Deleted.;
A0057632.dll;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP464;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0057647.reg;C:\System Volume Information\_restore{14AB0BD9-ED23-4445-98C1-95FB6C64B155}\RP464;Trojan.StartPage.1505;Deleted.;
appprf32.dll;C:\WINDOWS\system32;Win32.HLLM.Limar;Deleted.;



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rslgjgmg

*******************

Script file located at: \??\C:\Program Files\glsbqxbt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\umcefomk.exe not found!
Deletion of file C:\WINDOWS\system32\umcefomk.exe failed!

Could not process line:
C:\WINDOWS\system32\umcefomk.exe
Status: 0xc0000034

File C:\WINDOWS\system32\anapunkidopli.dll deleted successfully.
File C:\WINDOWS\system32\ialssrgc.exe deleted successfully.
File C:\WINDOWS\rtfybgtrvfcgtr.exe deleted successfully.
File C:\WINDOWS\tgrftgrf.exe deleted successfully.
File C:\WINDOWS\system32\nvstatld.dll deleted successfully.
File C:\WINDOWS\system32\pngfmsne.exe deleted successfully.
File C:\WINDOWS\nybtyhrtg.exe deleted successfully.
File C:\WINDOWS\esgfsefrf.exe deleted successfully.
File C:\WINDOWS\ntyrebgrtvfcd.exe deleted successfully.
File C:\WINDOWS\wrefergghtr.exe deleted successfully.
File C:\WINDOWS\cxbrtewfgtre.exe deleted successfully.
File C:\WINDOWS\x0h7bh.reg deleted successfully.
File C:\WINDOWS\fwall32.exe deleted successfully.
File C:\WINDOWS\odfvf.dat deleted successfully.
File C:\WINDOWS\npad32.dat deleted successfully.
File C:\WINDOWS\np8dbq.exe deleted successfully.
File C:\WINDOWS\sqhos32.dat deleted successfully.
Folder C:\{000044D6-0000-0000-4B6F-CC2FCB353A92} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



"Lea Esther Benguigui" - 07-05-06 7:15:11 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Lea Esther Benguigui\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))


2007-05-05 21:22 <DIR> d-------- C:\DOCUME~1\LEAEST~1\DoctorWeb
2007-05-05 21:15 <DIR> d-------- C:\avenger
2007-05-04 19:32 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-04 17:56 16 --a------ C:\chdir.bat
2007-05-04 17:56 <DIR> d-------- C:\Rustbfix
2007-05-04 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-04 00:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-04 00:07 <DIR> d-------- C:\DOCUME~1\LEAEST~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 06:59 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-03 06:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-02 00:20 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-02 00:07 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-26 23:59 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-04-25 20:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-23 05:26 82,432 --a------ C:\WINDOWS\ins32.exe
2007-04-19 00:34 16 --a------ C:\WINDOWS\hpsys.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-29 08:56 -------- d-------- C:\Program Files\america online 9.0
2007-04-26 07:12 4 --a------ C:\WINDOWS\system32\pngfmsne.dat
2007-04-18 02:15 -------- d-------- C:\Program Files\messenger
2007-03-27 08:33 -------- d-------- C:\Program Files\itunes
2007-03-27 08:32 -------- d-------- C:\Program Files\ipod
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-15 04:55 0 --a------ C:\WINDOWS\adc.dat
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-13 02:14 186880 --a------ C:\WINDOWS\vdisk.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"ZTgServerSwitch"="c:\\program files\\support.com\\client\\lserver\\server.vbs"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"CreateCD_Reminder"="C:\\WINDOWS\\Sonysys\\VAIO Recovery\\reminder.exe"
"VAIO Recovery"="C:\\Windows\\Sonysys\\VAIO Recovery\\PartSeal.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146108193\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04b\\BrStDvPt.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7F76815-E647-4BCE-B21A-600CE626E5D8}"="System Registry Hook"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 07:26:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-06 7:27:14
C:\ComboFix-quarantined-files.txt ... 07-05-06 07:27
C:\ComboFix2.txt ... 07-05-04 19:32



Since I really have no clue what's going on, any reassurances that my computer "will live" would be greatly appreciated. Unless things are pretty bad... like terminally ill bad... then maybe you should sugar coat the diagnosis for me... :thumbsup:

Once again, thank you for all your help.

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:22 AM

Posted 06 May 2007 - 07:03 PM

Looking better. I would not throw the computer out the window!!

On the Windows Defender problem, try un-installing it, and installing the latest version: http://www.microsoft.com/downloads/details...;displaylang=en

~~~~
A couple of items to get rid of yet…

Copy all the blue text below by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\ins32.exe
C:\WINDOWS\hpsys.dat
C:\WINDOWS\system32\pngfmsne.dat


Start The Avenger program by clicking on its icon on the Desktop.
Under: Script file to execute, select: Input Script Manually
Now click on the Magnifying Glass icon
It opens a new window titled: View/edit script
Paste the text above into this window by pressing (Ctrl+V).
Click Done

Now click on the Green Light to begin the execution of the script
Answer Yes twice when prompted.

After the restart, copy the C:\avenger.txt to post in your reply.


~~~~
Last, run a Panda online ActiveScan
http://www.pandasoftware.com/products/activescan.htm

On the top right go to: Free online virus scan
Follow the prompts, provide the required info, select: Scan Now!
Allow the ActiveX download.

Select a device to scan: Local Disks

Next, select: See Report
Then select: Save Report and post it in your reply.

~~~~
Run HijackThis, and Scan.

~~~~
Please provide the following:
The Avenger report
The Panda ActiveScan report
A new HijackThis log

Old duck...


#10 Bengy909

Bengy909
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 07 May 2007 - 06:28 AM

Hi Aaflac,

Thank you. I had no idea these clean up jobs could take so long and I really appreciate your patience and persistence in helping a total stranger!

Here are the logs:



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fdwysuuf

*******************

Script file located at: \??\C:\WINDOWS\system32\ywucpyra.txt
Script file opened successfully.
Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\ins32.exe deleted successfully.
File C:\WINDOWS\hpsys.dat deleted successfully.
File C:\WINDOWS\system32\pngfmsne.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lea Esther Benguigui\Cookies\lea esther benguigui@2o7[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Lea Esther Benguigui\Cookies\lea esther benguigui@atwola[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Lea Esther Benguigui\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lea Esther Benguigui\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lea Esther Benguigui\DoctorWeb\Quarantine\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe






Logfile of HijackThis v1.99.1
Scan saved at 7:00:34 AM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\aol\1146108193\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lea Esther Benguigui\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I had planned on posting this information last night, but my wireless connection has been acting up. When I first start the computer it's working fine. Then it will start disconnecting and reconnecting again. Finally, it will simply stop working - and it can't even pick up a wireless signal! I know that can't be right because there are at least two other computers connected to the same wireless signal without any problems. Any idea if this is related to the nasty infections we're trying to get rid of or if it's totaly unrelated?

Thanks again.

#11 Bengy909

Bengy909
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 07 May 2007 - 08:09 AM

Hi Aaflac,

I ran Spybot S&D and it found a couple problems:

Microsoft.WindowsSecurityCenter.FirewallBypass
Win23.PE

Both were fixed without an issue. I hope that in my eagerness to help I didn't mess up any of the problems you already fixed!

Thanks.

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:22 AM

Posted 07 May 2007 - 03:32 PM

Let's see if anything is hiding from view.

Please download RustBFix by ejvindh:
http://www.uploads.ejvindh.net/rustbfix.exe
Save it to the Desktop.

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you are asked to reboot the computer.
The reboot takes a while, and perhaps 2 reboots are needed, but this will happen automatically.

After the reboot(s) 2 log-files are created: C:\Avenger.txt and a C:\RustBFix\Pelog.txt

~~~~
Next, download SilentRunners:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the Desktop and double-click on SilentRunners.vbs

There is malware that hides, and SilentRunners may show its Registry keys, if HijackThis does not.

If an alert about scripting appears from your anti-virus, choose to allow the script to run.
When the scan is done, Notepad opens with a log which is saved in the SilentRunners folder.

~~~~
Please post the content of the RustBFix C:\Avenger.txt and C:\RustBFix\Pelog.txt in your reply, along with a SilentRunners log.

Old duck...


#13 Bengy909

Bengy909
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 07 May 2007 - 10:24 PM

Hi Aaflac,

Here it comes...




Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fdwysuuf

*******************

Script file located at: \??\C:\WINDOWS\system32\ywucpyra.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\ins32.exe deleted successfully.
File C:\WINDOWS\hpsys.dat deleted successfully.
File C:\WINDOWS\system32\pngfmsne.dat deleted successfully.

Completed script processing.





************************* Rustock.b-fix -- By ejvindh *************************
Mon 05/07/2007 23:00:56.92

No Rustock.b-rootkits found

******************************* End of Logfile ********************************






"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Aim6" = ""C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp" ["AOL LLC"]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
"AOL Fast Start" = ""C:\Program Files\America Online 9.0\AOL.EXE" -b" ["America Online, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"ZTgServerSwitch" = "c:\program files\support.com\client\lserver\server.vbs" [null data]
"HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"]
"CreateCD_Reminder" = "C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe" ["Sony Electronics, Inc"]
"VAIO Recovery" = "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"HostManager" = "C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe" ["America Online, Inc."]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["AOL LLC"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"PaperPort PTD" = "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]
"IndexSearch" = "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]
"SetDefPrt" = "C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\(Default) = "AOL Toolbar Launcher"
-> {HKLM...CLSID} = "AOL Toolbar Launcher"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{C7F76815-E647-4BCE-B21A-600CE626E5D8}" = "System Registry Hook"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvstatld.dll" [file not found]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Toadstool.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Lea Esther Benguigui\Application Data\Microsoft\Internet Explorer\Toadstool.bmp"


Startup items in "Lea Esther Benguigui" & "All Users" startup folders:
----------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"PowerPanel" -> shortcut to: "C:\Program Files\PowerPanel\Program\PcfMgr.exe /launch" ["Phoenix Technologies Ltd."]
"Status Monitor" -> shortcut to: "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe Brother MFC-3240C /STARTUP" ["Brother Industries, Ltd."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.sony.com/vaiopeople

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = "AOL Search"
-> {HKLM...CLSID} = "AOLTBSearch Class"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["AOL LLC"]
AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Brother Popup Suspend service for Resource manager, brmfrmps, ""C:\WINDOWS\system32\Brmfrmps.exe" -service " ["Brother Industries, Ltd."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 306 seconds, including 8 seconds for message boxes)




Thanks!

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:22 AM

Posted 07 May 2007 - 11:00 PM

Please launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue REGEDIT below to it

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7F76815-E647-4BCE-B21A-600CE626E5D8}"=-


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: delete.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

~~~~
Please post a new SilentRunners log.

Old duck...


#15 Bengy909

Bengy909
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 08 May 2007 - 06:17 AM

Hi Aaflac,

Here's the log you asked for:




"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Aim6" = ""C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp" ["AOL LLC"]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
"AOL Fast Start" = ""C:\Program Files\America Online 9.0\AOL.EXE" -b" ["America Online, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"ZTgServerSwitch" = "c:\program files\support.com\client\lserver\server.vbs" [null data]
"HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"]
"CreateCD_Reminder" = "C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe" ["Sony Electronics, Inc"]
"VAIO Recovery" = "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"HostManager" = "C:\Program Files\Common Files\AOL\1146108193\ee\AOLSoftware.exe" ["America Online, Inc."]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["AOL LLC"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"PaperPort PTD" = "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]
"IndexSearch" = "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]
"SetDefPrt" = "C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\(Default) = "AOL Toolbar Launcher"
-> {HKLM...CLSID} = "AOL Toolbar Launcher"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Toadstool.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Lea Esther Benguigui\Application Data\Microsoft\Internet Explorer\Toadstool.bmp"


Startup items in "Lea Esther Benguigui" & "All Users" startup folders:
----------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"PowerPanel" -> shortcut to: "C:\Program Files\PowerPanel\Program\PcfMgr.exe /launch" ["Phoenix Technologies Ltd."]
"Status Monitor" -> shortcut to: "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe Brother MFC-3240C /STARTUP" ["Brother Industries, Ltd."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.sony.com/vaiopeople

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = "AOL Search"
-> {HKLM...CLSID} = "AOLTBSearch Class"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["AOL LLC"]
AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Brother Popup Suspend service for Resource manager, brmfrmps, ""C:\WINDOWS\system32\Brmfrmps.exe" -service " ["Brother Industries, Ltd."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 60 seconds, including 18 seconds for message boxes)




Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users