Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Invasion. Been Battling For A Week.


  • Please log in to reply
25 replies to this topic

#1 noobalicious

noobalicious

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 15 May 2007 - 06:16 PM

The guys at Techguys.org would not answer my thread, and it's been 5 days. I thought I was being patient, but I guess not. I provided a link to that thread where I posted to myself for the better part of a week.

http://forums.techguy.org/security/572093-...over-stuff.html

- It started with a Smithfraud-C variant. I ran the Smitfraudfix to no avail. It probably removed something, but whatever. I finally took care of it by deleting the dll associated with it, which allowed Spybot to remove it. So no more of the usual false security notification popups, or fake anti-malware associated with Smitfraud. I determined the dll by looking at the Spybot "recovery" log, I think.

- But my homepage was still being changed, and my searches were still redirected, So I had HJT fix some bad BHOs, a DNS hijack 017 entry, and I ran Vundofix. It seemed to fix my browser, and remove the Vundo byxxuvv.dll. The BHOs I think were CWS components, and I still need to run CWShredder. I also did the usual disable restore, then reenable etc.

BUT: Some things still don't seem right. Boot-ups are taking a longer than normal, and I'm still hearing the same quiet "beep", while windows loads up, that I began hearing when the Smitfraud stuff was going off the hook (not the POST beep). I associated this beep with the malware starting up, and I continue to do so.

Basically, I did all I could by myself[i]. Some of the specialized removal and scanning tools that you guys use, such as Combofix or WinPFind3U, have virtually no public guides or information. And having HJT "fix" an entry doesn't alway remove it.

I just wanna make sure it's all gone.

Sorry about the obnoxiously long post.

Here is the first HJT log I posted.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alan\Desktop\Cleanup tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {180EBAE1-DA24-47AB-A0DB-32F555220101} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8E4469CA-0012-4291-8975-4767172E5193} - (no file)
O2 - BHO: (no name) - {9A072AA0-A30B-4717-A573-4511BB05F6AC} - C:\WINDOWS\system32\byxxuvv.dll
O2 - BHO: (no name) - {BBA860A5-BA95-4942-B4C7-56C7A0CE92F2} - (no file)
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - (no file)
O2 - BHO: 0 - {E7D9F3FE-4C1F-4865-D8A8-CBD19B3626F9} - (no file)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172860450321
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1172860850999
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll (file missing)
O20 - Winlogon Notify: byxxuvv - C:\WINDOWS\SYSTEM32\byxxuvv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: wEvDqKbnkl - {D06B5F9D-7AC1-F537-99D1-A8CAB1CBB2A0} - (no file)
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dszsf.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe

The 017 NS entries aren't there, so I must have gotten them along the way. My last log is below. I think there's one or two logs inbetween in the Techguys.org thread.

BC AdBot (Login to Remove)

 


#2 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 15 May 2007 - 06:21 PM

This is my last HJT log


Logfile of HijackThis v1.99.1
Scan saved at 11:43:44 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alan\Desktop\Cleanup tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172860450321
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1172860850999
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dszsf.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by noobalicious, 15 May 2007 - 06:56 PM.


#3 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 15 May 2007 - 06:30 PM

OH yeah I also had HJT "fix" this entry:

O21 - SSODL: wEvDqKbnkl - {D06B5F9D-7AC1-F537-99D1-A8CAB1CBB2A0} - (no file)

And I tried to have it fix this one(below), but it says that is has to reboot to fix it. After the reboot it is still listed in the HJT log, and when I go to the folder it says that it can't be deleted because it's "in use".

What the heck is this thing?

O23 - Service: AFSEGTGF Windows Service - Unknown owner -
C:\WINDOWS\system32\dszsf.exe

thanks

Oh yeah. A Panda scan will not work to completion, but just before it stops there's 3 "hijacking objects or rootkits" listed.

Edited by noobalicious, 15 May 2007 - 06:32 PM.


#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 18 May 2007 - 09:33 AM

Howdy noobalicious,


Welcome to Bleeping Computer. Given the changes you were making all along and the few days that have passed since you last post here, before we go with repairing the infection there best if you update me on any recent changes made by you.


Also go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here, along with a new HijackThis scan please. You can use separate posts here if needed.


It would be good to post in your other forum open thread that you have now started repairs and the thread can be closed. I am sure the folks there are as busy as we here so a simple statement would suffice.
Ad eundum quo no duck ante iit

#5 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 21 May 2007 - 05:38 PM

Howdy noobalicious,


Welcome to Bleeping Computer. Given the changes you were making all along and the few days that have passed since you last post here, before we go with repairing the infection there best if you update me on any recent changes made by you.


Also go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here, along with a new HijackThis scan please. You can use separate posts here if needed.


It would be good to post in your other forum open thread that you have now started repairs and the thread can be closed. I am sure the folks there are as busy as we here so a simple statement would suffice.


Sorry about the delay. I've been out of town, and thanks soooo much for replying. I'm at work now, but when I get home I'll follow your instructions and post back.

Thanks

#6 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 21 May 2007 - 06:32 PM

Post here when you can and we'll take up any necessary repairs at that time.
Ad eundum quo no duck ante iit

#7 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 10:42 AM

Here's the Silent Runners log



"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\WINDOWS\system32\perfc000.dat" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper2.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Alan\Local Settings\Application Data\Microsoft\Wallpaper2.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\plusaqar.scr" [MS]


Startup items in "Alan" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Alan\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SYSTEMROOT%\system32\nvappfilter.dll ["NVIDIA"], 01 - 03, 09
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent Application Manager (IAM), "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe" [empty string]
ForceWare IP service, nSvcIp, "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe" ["NVIDIA Corporation"]
ForceWare user log service, nSvcLog, "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe" ["NVIDIA Corporation"]
Forceware Web Interface, ForcewareWebInterface, ""C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice" ["Apache Software Foundation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 34 seconds, including 17 seconds for message boxes)

#8 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 10:44 AM

And the latest HJT log.

I haven't made any repairs since the ones I listed at the start of the thread. Thanks again.


Logfile of HijackThis v1.99.1
Scan saved at 8:43:01 AM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alan\Desktop\Cleanup tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172860450321
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172860850999
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dszsf.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 10:55 AM

One more thing. When I updated windows this morning, during the install it redirected me to what looked like a bogus "side install". My sixth sense kicked in and I didn't actually run the thing, although it was cleverely "windows looking" (a-holes...). Windows seemed to update fine after I closed the bogus site. However an .exe got downloaded to my desktop called legitchk, or somthing like that. I deleted it, and I don't think it did anything. The reason I caught this was because the site I was redirected to had a familiar name that I think was listed on and R0 (or R1-R3 whatever) on one of my HJT logs that I deleted. The site was www.go.microsoft......., and I don't remember the rest. So I don't know if there's a windows update hijack, but I'm pretty sure that's what just happend. Take care.

Edited by noobalicious, 22 May 2007 - 10:57 AM.


#10 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 04:21 PM

Passing info back and forth in the forum here isn't the optimum means of direct repairs, but it really would be best if you didn't attempt any other changes, like that update, unless we discuss it here first. Still serious enough infection showing there, so let's get to work on that now.


Please disable SpywareGuard, as it may interfere with the removal of some entries. You can re-enable it after you're clean.
To disable SpywareGuard:

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.



Then download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.



Disable your antivirus program and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here.


Reboot after, and run and post back a new HijackThis and Silent Runners log, along with the combofix.txt log and the BitDefender log please.
Ad eundum quo no duck ante iit

#11 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 05:04 PM

OK I'll be home from work in a couple hours. I will immediately run ComboFix right when I get home.

I won't try to repair anything else, no worries. The only reason I did is because you guys are so busy I had to try something just to get my system functional, and it worked for the most part. I can browse the web, and I'm playing HL2 at maxed settings just fine. However, I am getting BSODs more frequently than is reasonable, and the other stuff I mentioned.

The crashes were worrying me so I'm relieved that you found something. I was starting to think MOBO problems.

Thanks again

#12 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 07:29 PM

Here's the ComboFix log


"Alan" - 2007-05-22 17:22:52 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Alan\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\59812.exe
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Temp\17O7\tmpTF.log
C:\DOCUME~1\Alan\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\sony.exe
C:\Documents and Settings\All Users.\documents\settings
C:\WINDOWS\system32\smpi1
C:\Temp\17O7
C:\Temp\tn3
C:\WINDOWS\system32\windev-255e-302d.sys
C:\WINDOWS\system32\windev-peers.ini


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DRIVER
-------\LEGACY_NEW_DRV
-------\LEGACY_WINCOM32
-------\ windbg48
-------\Driver
-------\RpcApi
-------\windev-255e-302d


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))


2007-05-18 23:20 1,165 --a------ C:\WINDOWS\mozver.dat
2007-05-15 07:44 <DIR> d-------- C:\DOCUME~1\Alan\.housecall6.6
2007-05-14 23:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-14 21:40 <DIR> d-------- C:\Program Files\SpywareGuard
2007-05-13 13:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-13 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-13 13:43 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\SUPERAntiSpyware.com
2007-05-12 21:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-12 15:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-12 13:58 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-12 13:58 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-12 13:57 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-12 13:57 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-12 13:57 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-12 13:36 <DIR> d-------- C:\VundoFix Backups
2007-05-10 08:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-09 20:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-09 20:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-09 17:41 1,118 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-09 17:40 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-09 17:26 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-09 07:36 <DIR> d-------- C:\DOCUME~1\Judy\APPLIC~1\Lavasoft
2007-05-09 07:18 <DIR> d-------- C:\Temp
2007-05-04 22:37 <DIR> d-------- C:\Program Files\Valve
2007-05-04 18:24 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-04 17:54 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-05-04 17:54 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-05-04 17:54 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-05-01 22:19 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\wsInspector
2007-05-01 22:11 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-05-01 07:31 262,144 --a------ C:\DOCUME~1\APPLIC~1\NTUSER.DAT
2007-04-30 21:42 <DIR> d-------- C:\Program Files\RegCleaner
2007-04-30 21:37 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-04-30 21:37 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-04-30 21:27 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-04-30 21:27 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-04-30 21:27 <DIR> d-------- C:\Program Files\Windows Media Components
2007-04-30 21:20 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2007-04-30 21:20 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-04-30 21:20 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2007-04-30 21:20 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2007-04-30 21:20 <DIR> d-------- C:\Program Files\Futuremark
2007-04-30 21:10 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\Help
2007-04-30 21:03 <DIR> d-------- C:\Program Files\SiSoftware
2007-04-30 17:17 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-27 07:43 <DIR> d---s---- C:\DOCUME~1\Judy\UserData
2007-04-26 22:29 <DIR> d-------- C:\DOCUME~1\Judy\APPLIC~1\Help
2007-04-25 21:45 <DIR> d-------- C:\DOCUME~1\Judy\APPLIC~1\Pegasys Inc


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-15 04:51:38 -------- d-----w C:\Program Files\SpywareBlaster
2007-05-13 20:43:20 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-10 14:27:26 -------- d-----w C:\Program Files\Online Services
2007-05-10 08:22:51 -------- d-----w C:\Program Files\a-squared Free
2007-05-01 04:35:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-21 02:53:58 -------- d-----w C:\Program Files\Google
2007-04-20 01:53:34 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\RipIt4Me
2007-04-17 01:44:58 -------- d-----w C:\Program Files\Microsoft Bootvis
2007-04-09 21:30:13 7,680 ----a-w C:\WINDOWS\system32\drivers\RKL13.tmp.sys
2007-04-07 01:00:00 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-04-05 00:56:44 -------- d-----w C:\Program Files\The Creative Assembly
2007-03-30 03:25:33 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\LEAPS
2007-03-29 07:21:30 -------- d-----w C:\Program Files\Pegasys Inc
2007-03-29 06:24:22 -------- d-----w C:\Program Files\MSN Messenger
2007-03-28 06:41:59 -------- d-----w C:\Program Files\The KMPlayer
2007-03-28 05:54:33 -------- d-----w C:\Program Files\RipIt4Me
2007-03-28 05:02:32 -------- d-----w C:\Program Files\DVD Decrypter
2007-03-28 04:53:24 -------- d-----w C:\Program Files\DVD Shrink
2007-03-27 06:25:00 -------- d-----w C:\Program Files\LimeWire
2007-03-27 05:41:29 -------- d-----w C:\Program Files\ACE Mega CoDecS Pack
2007-03-27 03:40:50 -------- d-----w C:\Program Files\AutoGK
2007-03-27 03:40:43 43,602 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2007-03-27 03:40:37 -------- d-----w C:\Program Files\AviSynth 2.5
2007-03-27 03:40:25 -------- d-----w C:\Program Files\Gabest
2007-03-27 02:03:44 -------- d-----w C:\Program Files\DVDFab Decrypter 3
2007-03-26 07:16:58 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\ImgBurn
2007-03-26 07:16:34 -------- d-----w C:\Program Files\ImgBurn
2007-03-26 07:04:01 -------- d-----w C:\Program Files\GUI for dvdauthor
2007-03-20 01:17:46 -------- d--h--r C:\DOCUME~1\Alan\APPLIC~1\SecuROM
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 19:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 19:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-15 00:08:40 0 ----a-w C:\WINDOWS\system32\awtqolj.dll
2007-03-14 03:46:17 1,144,288 --sh--w C:\WINDOWS\system32\ihhkj.bak2
2007-03-12 04:57:02 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\Logitech
2007-03-12 04:41:33 -------- d-----w C:\Program Files\MUSICMATCH
2007-03-12 04:41:33 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\Musicmatch
2007-03-12 04:40:33 -------- d-----w C:\Program Files\Common Files\Logitech
2007-03-12 04:40:28 -------- d-----w C:\Program Files\Logitech
2007-03-11 05:01:37 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\Elaborate Bytes
2007-03-11 04:45:46 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\SlySoft
2007-03-11 02:13:59 -------- d-----w C:\Program Files\Elaborate Bytes
2007-03-11 01:57:55 -------- d-----w C:\Program Files\DivX
2007-03-10 22:25:07 -------- d-----w C:\Program Files\MySpace
2007-03-10 22:16:42 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\AdobeUM
2007-03-10 22:15:14 -------- d-----w C:\Program Files\QuickTime
2007-03-09 04:36:35 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\DivX
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 14:08:04 -------- d-----w C:\Program Files\ASUS
2007-03-07 14:04:16 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-03-07 14:03:32 -------- d-----w C:\Program Files\Electronic Arts
2007-03-07 06:01:52 -------- d-----w C:\Program Files\Startup Mechanic
2007-03-07 05:48:45 -------- d-----w C:\Program Files\SlySoft
2007-03-07 03:18:31 -------- d-----w C:\Program Files\CCleaner
2007-03-07 03:18:26 -------- d-----w C:\Program Files\Yahoo!
2007-03-07 01:57:20 1,182,374 --sh--w C:\WINDOWS\system32\ihhkj.bak1
2007-03-05 15:24:46 77,000 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-03-03 02:07:19 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-02 22:29:18 208,896 ------w C:\WINDOWS\system32\nvusmb.exe
2007-03-01 10:17:04 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-03-01 09:30:52 0 --sha-r C:\MSDOS.SYS
2007-03-01 09:30:52 0 --sha-r C:\IO.SYS
2007-03-01 09:30:52 0 ----a-w C:\CONFIG.SYS
2007-03-01 09:30:52 0 ----a-w C:\AUTOEXEC.BAT
2007-03-01 09:28:33 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-02-28 23:05:26 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 23:24]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2669c8f4-c926-11db-a00d-001a9215b2e4}]
AutoRun\command- E:\LaunchU3.exe -a



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070514-232500-587
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dszsf.exe

backup-20070514-232219-580
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dszsf.exe

backup-20070514-230959-997
O21 - SSODL: wEvDqKbnkl - {D06B5F9D-7AC1-F537-99D1-A8CAB1CBB2A0} - (no file)

backup-20070514-191449-471
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

backup-20070514-191438-865
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

backup-20070514-191438-773
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

backup-20070514-191438-690
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

backup-20070514-191438-679
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast

backup-20070514-191438-470
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

backup-20070513-211304-905
O17 - HKLM\System\CCS\Services\Tcpip\..\{C043BC27-488F-473C-9A67-9C5225E9BF99}: NameServer = 194.54.90.226

backup-20070513-211304-823
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA112572-708E-4DEB-8112-8E8781385BD7}: NameServer = 194.54.90.226

backup-20070512-215902-362
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000
"EulaAccepted"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,24,21,5f,b2,05,f0,9c,46,ad,18,0d,e4,a9,ca,06,23,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,fc,6e,29,f6,22,17,a4,96,\
95,5b,7c,7e,7b,c8,d2,bc,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,f4,\
76,eb,d4,57,70,ed,02,c3,29,6d,21,d4,f3,8e,10,b0,01,00,00,32,fd,a5,8b,6a,f6,\
3b,c9,39,6c,66,8c,9d,31,96,f7,15,71,a9,ce,8f,43,46,ae,85,06,09,ad,d8,de,5e,\
8b,80,ce,4b,e2,28,60,3f,e3,33,bb,b3,35,53,9f,a6,a1,c1,3c,a0,b3,a3,1f,21,67,\
88,6b,01,2c,43,98,ba,1d,60,a8,f6,59,a7,1d,19,ba,25,7c,2b,02,67,ee,ba,2a,d1,\
a9,c5,15,3c,e1,a3,ef,84,1f,f0,e5,f3,2c,f0,5a,62,c8,1e,f9,49,82,9f,8f,c4,d5,\
ad,14,79,58,3e,3a,3f,4f,ac,ff,c1,8a,5b,70,af,01,4b,6e,75,35,1e,0d,6d,71,43,\
87,ec,1d,45,10,a1,3d,6b,44,57,81,7b,c5,0d,fc,21,18,d5,a4,18,ca,0b,12,2c,c0,\
ad,98,83,fc,25,59,d7,59,81,05,29,94,12,e8,d5,fc,d7,57,10,ba,20,f0,a8,bf,d1,\
bf,01,5d,cc,4f,6f,ca,19,57,31,0e,40,e4,83,7e,f3,2b,ef,2a,eb,91,98,7d,1e,18,\
16,e2,54,80,98,f0,a2,21,fe,81,00,bd,91,f5,66,e8,04,f3,42,13,12,a1,1b,03,33,\
c9,81,46,94,09,27,5e,60,0e,3f,12,ce,e3,e4,bf,e5,e9,3b,c8,cd,b4,ad,4c,44,05,\
bc,6a,1c,47,e8,6b,90,fe,84,f4,51,c6,01,cf,42,d2,63,61,bd,ae,1f,e3,a2,43,fb,\
79,37,94,fa,9f,04,68,da,86,12,4b,a5,2c,30,fa,e4,44,e2,df,6b,20,ed,86,e9,b6,\
ba,d9,90,67,eb,e1,a2,51,1f,14,88,2a,fc,75,28,13,db,de,36,63,59,c9,de,df,1d,\
96,b3,4c,74,49,a6,6c,24,fa,7a,bc,6b,00,bd,e2,53,51,1d,44,dd,f1,48,50,e8,3b,\
61,b4,94,42,9e,06,f1,bb,85,86,00,96,5e,4a,34,3c,a0,10,a5,9a,6a,88,a9,83,bf,\
2c,5a,58,c3,15,a2,77,57,5f,ae,16,56,71,d2,00,89,a9,77,14,89,d6,2d,b5,6f,d4,\
61,1e,bf,8d,55,f2,5f,d5,95,9c,b7,d6,77,19,8a,9f,fc,13,eb,88,0f,ba,a6,9c,85,\
e2,14,00,00,00,7d,04,29,19,32,0a,9c,3b,f7,f0,26,58,73,40,bd,92,c5,ce,31,c2



backup-20070512-215902-596
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\A3dxq]
"DllName"="C:\\WINDOWS\\system32\\a3dxx.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Startup"="Startup"



backup-20070512-215831-243
O2 - BHO: 0 - {E7D9F3FE-4C1F-4865-D8A8-CBD19B3626F9} - (no file)

backup-20070512-215831-960
O2 - BHO: (no name) - {BBA860A5-BA95-4942-B4C7-56C7A0CE92F2} - (no file)

backup-20070512-215831-565
O2 - BHO: (no name) - {9A072AA0-A30B-4717-A573-4511BB05F6AC} - (no file)

backup-20070512-215831-785
O2 - BHO: (no name) - {8E4469CA-0012-4291-8975-4767172E5193} - (no file)

backup-20070512-215831-868
O2 - BHO: (no name) - {180EBAE1-DA24-47AB-A0DB-32F555220101} - (no file)

backup-20070512-162552-541
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-22 17:25:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-22 17:26:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-22 17:26

--- E O F ---

#13 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 08:23 PM

Some previous changes you made with HijackThis looks to have hidden some telltale signs, but ComboFix located and removed quite a bit of serious rootkit activity there. Post back the other information when available and we'll move forward from there.

Edited by Jintan, 22 May 2007 - 08:23 PM.

Ad eundum quo no duck ante iit

#14 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 08:38 PM

And the Bitdefender log




BitDefender Online Scanner







Scan report generated at: Tue, May 22, 2007 - 18:09:11









Scan path: A:\;C:\;D:\;E:\;















Statistics

Time


00:26:53

Files


235586

Folders


4290

Boot Sectors


2

Archives


1302

Packed Files


17646







Results

Identified Viruses


5

Infected Files


6

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


6







Engines Info

Virus Definitions


507878

Engine build


AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\$VAULT$.AVG\01783187.FIL


Infected with: Trojan.Peed.NS

C:\$VAULT$.AVG\01783187.FIL


Disinfection failed

C:\$VAULT$.AVG\01783187.FIL


Deleted

C:\$VAULT$.AVG\03321890.FIL


Infected with: Trojan.Peed.NK

C:\$VAULT$.AVG\03321890.FIL


Disinfection failed

C:\$VAULT$.AVG\03321890.FIL


Deleted

C:\$VAULT$.AVG\05268015.FIL


Infected with: Trojan.Spambot.BXB

C:\$VAULT$.AVG\05268015.FIL


Disinfection failed

C:\$VAULT$.AVG\05268015.FIL


Deleted

C:\$VAULT$.AVG\93045671.FIL


Infected with: Exploit.Img.Ani.K

C:\$VAULT$.AVG\93045671.FIL


Disinfection failed

C:\$VAULT$.AVG\93045671.FIL


Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\windev-255e-302d.sys.vir


Infected with: Trojan.Peed.NI

C:\QooBox\Quarantine\C\WINDOWS\system32\windev-255e-302d.sys.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\windev-255e-302d.sys.vir


Deleted

C:\System Volume Information\_restore{9463EABB-6AF3-4BD4-85AD-90D72A51DBC0}\RP5\A0005615.sys


Infected with: Trojan.Peed.NI

C:\System Volume Information\_restore{9463EABB-6AF3-4BD4-85AD-90D72A51DBC0}\RP5\A0005615.sys


Disinfection failed

C:\System Volume Information\_restore{9463EABB-6AF3-4BD4-85AD-90D72A51DBC0}\RP5\A0005615.sys


Deleted

#15 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 22 May 2007 - 08:43 PM

HJT log



Logfile of HijackThis v1.99.1
Scan saved at 6:43:44 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Alan\Desktop\Cleanup tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172860450321
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172860850999
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dszsf.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users