Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/rootkit/hardware ?


  • This topic is locked This topic is locked
20 replies to this topic

#1 goblue1

goblue1

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 31 May 2007 - 08:27 AM

Have a Dell Inspiron 6000 XPsp2. Everything working good. Previously upgraded factory 256MB RAM with 2 sticks, Patriot 1GB + 512MB. No problems.
Now this is not smart, but a month ago decided to try Dell Restore to get a clean new system. Copied my programs and files onto CD and did a CTL F11 at boot up.

Dell Restore was so g....ed up that I finally said to heck with it. Reformatted, recovered Dell partition space and did a clean new install of factory XPsp2. Reloaded my stuff. My stuff negligible, clocks, calendars/reminders, CPU/HD temp monitoring, POP peeper email handler. Don't game.
Protection: AVG, Spybot, Spyware Guard, XP firewall. Spyware Blaster

During the new install I am sure I was exposed to the internet at times without full protection since it took me several days to get everything up and running normally again.

Started noticing 30% CPU spikes of process services.exe with approx 1 minute intervals. Also some BSOD with STOP 0x00000050 and 0x0000008E.
Did a Windows Repair. No changes. Checked for Rootkit Rustb, not present.

Have tryed EVERY combination of RAM from original factory 256MB on up to my current 1.5GB installed.
After messing with RAM I now have for services.exe 100% CPU RAM spikes, but still about 1 minute apart. No other processes spike or appear abnormal. Haven't had a recent BSOD but, did before with this configuration.

In Safe mode with networking connected to internet no CPU spikes.

In normal mode, I can kill the spikes by disabling internet and starting Task Manager. Monitoring with Process Explorer shows the services.exe CPU spikes, after a little time, suddenly become continuous, one spike after another, until after about 8 of these, services.exe CPU goes down to normal 0-2%. It's like something got overloaded and killed. Then it seems to be able to run like this forever but, no internet.
Then Enable network connection and after opening IE the services.exe CPU spikes start again. I can repeat this connecting/disconnecting/killing/connecting over and over again. Repeatable.

Gentlemen/ladies, I am at a loss.


Logfile of HijackThis v1.99.1
Scan saved at 5:21:21 am, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\tools\POP Peeper\POPPeeper.exe
C:\Tools\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Tools\CLCL\CLCL.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Tools\Process Explorer\procexp.exe
C:\Tools\ZClock\ZClock.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Tools\Calender\Rainlendar.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\tools\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [i8kfangui] C:\Tools\I8kfanGUI\I8kfanGUI.exe /startup
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Calendar.lnk = C:\Tools\Calender\Rainlendar.exe
O4 - Startup: Clipboard CLCL.lnk = C:\Tools\CLCL\CLCL.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Taskbar Activate.lnk = C:\Tools\Taskbar Activate\TaskbarActivate.exe
O4 - Startup: ZClock.lnk = C:\Tools\ZClock\ZClock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by129fd.bay129.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ADILMC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Randy\LOCALS~1\Temp\ADILMC.exe
O23 - Service: ADRTD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Randy\LOCALS~1\Temp\ADRTD.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GMAGDIHSDRM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Randy\LOCALS~1\Temp\GMAGDIHSDRM.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HNQHPZY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Randy\LOCALS~1\Temp\HNQHPZY.exe
O23 - Service: MX - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Randy\LOCALS~1\Temp\MX.exe
O23 - Service: PQIEEBZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Randy\LOCALS~1\Temp\PQIEEBZ.exe

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:21 AM

Posted 04 June 2007 - 10:38 PM

Hi goblue1,

Welcome to Bleeping Computer HijackThis forum. Sorry for the delay, this forum is pretty busy.

Your HijackThis log is clean.

Question -- what tool did you use to check for Rustock-B? BTW, good research work on finding the connection between the 08E error and this rootkit.

During the new install I am sure I was exposed to the internet at times without full protection


This is pretty much the universal experience, since you have to go online to re-download all the Windows updates, as well as updates to your AV and other security software. I have done it several times myself. My feeling is that as long as you are behind a firewall -- preferably a router, but the XPSP2 firewall is okay, and it is enabled by default -- you stand very little chance of getting infected while doing updates. If that's all you did, I doubt even more that you have an infection.

However, speaking of firewalls -- you would be better off with a two-way firewall, since the XP firewall only blocks incoming traffic. Malware that makes its way onto your computer can "dial out" and the one-way firewall does nothing to stop it. So I would recommend replacing the XP firewall with one of these:

Zone Alarm

Sygate

Outpost Firewall Free

Kerio personal firewall

For more information about firewalls, please read this tutorial.

End of canned speech, back to your problem.

If this were my computer, I would pursue two lines of investigation: first, check each RAM module, by itself, using either Memtest86+ or the Microsoft Windows Memory Diagnostic tool. Both these tools require you to create a boot disk.

If one of your RAM modules tests faulty, then the question is, was this module installed in the computer when you did your Windows installation? If so, then I would not trust the installation. Faulty memory means errors in file copying, and you never know when or how those copy errors will cause the machine to "play up." In such a case I would recommend discarding the bad RAM, and doing a reinstall of Windows.

If all your memory is okay, then the next line of investigation would be to try to pin down what is causing the spikes. One quick test you might try is to see if you have the same issues when using a different browser, such as Firefox.

Then Enable network connection and after opening IE the services.exe CPU spikes start again.


It sounds like you must do both -- re-enable the network and start IE -- before the spiking pattern returns. Hence my suggestion to try Firefox. On the other hand,

In Safe mode with networking connected to internet no CPU spikes.



This makes it sound like some service or startup program that is not running in safe mode is the source of the spiking. My wild guess would be some auto update or other misbehaving "feature" of a program, that is trying to phone home.

Please post back with your answer to my questions, and any further observations you may have about this problem. Depending on how much you did online before you got your AV and antispyware up and running, some further scanning for malware might be warranted.

Also, please post a fresh HJT log, since it has been several days.

Looking forward to your reply.

Dave

#3 goblue1

goblue1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 05 June 2007 - 01:37 AM

Hi Dave, thanks for your help.

I did 2 checks for Rustock-B. First I booted to Recovery Console and said disable pe386. It said something like service not there. Also, I downloaded rustbfix.exe (can't remember from where), ran and it says it's not there.

I took a quick look at Microsoft Windows Memory Diagnostic tool and plan to run it but, wanted to give you an update with what I know right now and answer your questions. Also, from your input, I take it that just putting in each stick of memory by itself in my computer and demonstrating the problem did not really prove anything? Is that right?

A new observation. My computer ran for a day with no spikes. I had cleaned the registry with RegSeeker and optimized with NT REG OPTIMIZE then, noticed no spikes for about a day. But the services.exe CPU spikes started again for no apparent reason.

Also, I downloaded SUPERAntiSpyware.exe. I tryed 6 times to run this scanner and 6 times I got BSOD with alternating STOP 08E and 050 errors. The scan never got to files. It killed the computer scanning memory, registry, startup locations and never got to files or maybe just started before I saw the Blue Screen. Hope this means something to you?

As for firewalls, I recall using ZoneAlarm long ago and not being happy with it. Recently, I read that it slows down the internet experience. Which would you recommend for good protection with minimal impact on performance? Also, do you know if my Dell TrueMobile 2300 has a built in firewall? I don't see any setting to turn it on or off.

As for browser versus startup versus service program, I think service because there are no spikes networked in safe mode with IE. Actually, I did not previously have Spybot set to advanced mode with the resident shield, so I will stop the shield. But, gee it's hard to imagine this as the problem. Also, from the enclosed HiJackThis log you will see I've unloaded most of my pet startup programs and SpywardGuard.

I just recently, since starting this reply killed the spikes by disabling my wireless network connected to the wireless router with IE remaining open and after several minutes with no spikes re-enabled network connection. The spikes started back up again. What service associated with the network could be causing this? Is there a way I can output/post my services so you can see what is running?

Hope I answered all your questions.

Thank you,
Randy

Logfile of HijackThis v1.99.1
Scan saved at 11:21:35 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\tools\POP Peeper\POPPeeper.exe
C:\Tools\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Tools\Process Explorer\procexp.exe
C:\Tools\CLCL\CLCL.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\tools\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [i8kfangui] C:\Tools\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by129fd.bay129.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:21 AM

Posted 05 June 2007 - 11:38 AM

Hi again,.

Hope this means something to you?


Well, it means that the software hypothesis is looking better. Also that it's worthwhile doing a bit more checking for malware.

Just to be sure I understand you re: your experiments with the RAM modules -- you got BSODs with all combinations of memory modules, including each one individually?

If that's the case, I would say bad RAM is pretty well ruled out. No need to go forward with the RAM testing. The chances that all three of your memory sticks have gone bad is very small.

Please update your Superantispyware (hereafter SAS) and try to run a scan in safe mode. Print these instructions, or save them to a file, so that you can have them available. I want you to boot into safe mode without networking support. Here's a canned speech, does not cover safe mode, but it sounds like you are familiar with booting into safe mode already. Once you are in safe mode, proceed as follows.

*]Under "Configuration and Preferences", click the Preferences button.
[*]Click the Scanning Control tab.
[*]Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
[*]Click the "Close" button to leave the control center screen.
[*]Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
[*]On the left, make sure you check C:\Fixed Drive.
[*]On the right, under "Complete Scan", choose Perform Complete Scan.
[*]Click "Next" to start the scan. Please be patient while it scans your computer.
[*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
[*]Make sure everything has a checkmark next to it and click "Next".
[*]A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
[*]If asked if you want to reboot, click "Yes".
[*]To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
[*]Click Close to exit the program.

Another thing I would like to see is an Uninstall List.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.

Post both logs with your next reply. Also, I want to see a regular HijackThis log, but I want you to make it under specific conditions. I would like you to reboot your computer in Normal mode and immediately run HijackThis. Do not open any other programs. Run the scan. Save the log as usual.

The reason I am interested in this, I see two instances of Internet Explorer running in both your previous logs. First one I thought, maybe you had started two copies of the program. Lots of people have their browsers set up so that clicking a link opens a second instance (a "new window"). But this one shows the same thing. So for the new scan, I want to make sure you have not launched IE since booting and there are no instances showing in your taskbar. If one shows up in your List of Running Processes in spite of these conditions, then some other program on your system is launching a copy of IE.

Looking forward to your reply.

Dave

Edit: Sorry I forgot to answer your questions. Your router uses Network Address Translation which makes it a basic firewall. That combined with the XP firewall is plenty to block unauthorized incoming traffic.

I know that Zone Alarm has lost a lot of fans recently. I don't have any strong preference among the others I listed. All of them are less resource-hungry than ZA.

Hope this helps.

Edited by DaveM59, 05 June 2007 - 12:09 PM.


#5 goblue1

goblue1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 05 June 2007 - 05:15 PM

Hi Dave, thanks for all your help. I really appreciate it.

Regarding RAM: I have CPU spikes with all 3 modules individually installed. I limited individual module running times to just experiencing the CPU spikes then moved on to another configuration so I don't know about BSODs with individual modules. The latest and consistent BSODs were with my current config of 512MB + 1GB installed in my 2 laptop slots. The BSODs occurred 6 times in a row when running SAS in normal mode. I have not yet done the memory check on the individual modules. I wanted to get this latest info to you ASAP because of the rootkit discovery by SAS in safe mode.

Here is what you asked for:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/05/2007 at 02:39 PM

Application Version : 3.8.1002

Core Rules Database Version : 3249
Trace Rules Database Version: 1260

Scan type : Complete Scan
Total Scan Time : 00:33:36

Memory items scanned : 155
Memory threats detected : 0
Registry items scanned : 3788
Registry threats detected : 3
File items scanned : 16834
File threats detected : 15

Trojan.Rootkit-Windev/I
HKLM\System\ControlSet001\Services\windev-7473-4364
C:\WINDOWS\SYSTEM32\WINDEV-7473-4364.SYS
HKLM\System\ControlSet002\Services\windev-7473-4364
HKLM\System\CurrentControlSet\Services\windev-7473-4364

Adware.Tracking Cookie
C:\Documents and Settings\Randy\Cookies\randy@247realmedia[1].txt
C:\Documents and Settings\Randy\Cookies\randy@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Randy\Cookies\randy@ehg-suite101.hitbox[1].txt
C:\Documents and Settings\Randy\Cookies\randy@questionmarket[1].txt
C:\Documents and Settings\Randy\Cookies\randy@hitbox[2].txt
C:\Documents and Settings\Randy\Cookies\randy@trafficmp[1].txt
C:\Documents and Settings\Randy\Cookies\randy@ads.addynamix[1].txt
C:\Documents and Settings\Randy\Cookies\randy@anat.tacoda[2].txt
C:\Documents and Settings\Randy\Cookies\randy@anad.tacoda[2].txt
C:\Documents and Settings\Randy\Cookies\randy@advertising[2].txt
C:\Documents and Settings\Randy\Cookies\randy@tacoda[1].txt
C:\Documents and Settings\Randy\Cookies\randy@revsci[1].txt
C:\Documents and Settings\Randy\Cookies\randy@meetupcom.122.2o7[1].txt
C:\Documents and Settings\Randy\Cookies\randy@interclick[1].txt


THE UNINSTALL LIST

Add/Remove Pro
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Alarm++
ALPS Touch Pad Driver
AVG 7.5
Broadcom 440x 10/100 Integrated Controller
Canon i250
C-Major Audio
Conexant D110 MDC V.92 Modem
Cookie Jar
CutePDF Writer 2.1
Dell TrueMobile 2300 Control Utility
ERUNT 1.1j
FreeZip
Google Toolbar for Internet Explorer
HijackThis 1.99.1
IconArt
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
Java™ SE Runtime Environment 6 Update 1
MDFolder
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2003
Modem Helper
POP Peeper
Send To Extensions PowerToy
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
SUPERAntiSpyware Free Edition
Tweak UI
ViceVersa FREE 1.0.3
Windows Resource Kit Tools
Windows Support Tools

Logfile of HijackThis v1.99.1
Scan saved at 3:05:37 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\tools\POP Peeper\POPPeeper.exe
C:\Program Files\Apoint\HidFind.exe
C:\Tools\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Tools\Calender\Rainlendar.exe
C:\Tools\CLCL\CLCL.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Tools\ZClock\ZClock.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\tools\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [i8kfangui] C:\Tools\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Calendar.lnk = C:\Tools\Calender\Rainlendar.exe
O4 - Startup: Clipboard CLCL.lnk = C:\Tools\CLCL\CLCL.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: ZClock.lnk = C:\Tools\ZClock\ZClock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by129fd.bay129.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

Thanks.

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:21 AM

Posted 05 June 2007 - 09:17 PM

Hi again,

Well, at last we are making some headway!

Let's not worry about the RAM right now. It is quite possible that your infection is the cause of all your blue screens. If, after we are sure you are clean, you continue to see them, then it would be worthwhile to test your RAM modules.

I checked a few topics about this rootkit, which is also known as Peacomm.B and Troj/Dropper-OT. There's a good writeup about it here. Looks like it often comes with other malware, so we need to run a few more tools.

First, disable TeaTimer as it may interfere with the action of some of these tools:

# Run Spybot-S&D in Advanced Mode.
# If it is not already set to do this Go to the Mode menu select "Advanced Mode"
# On the left hand side, Click on Tools
# Then click on the Resident Icon in the List
# Uncheck "Resident TeaTimer" and OK any prompts.
# Restart your computer.

You also should disable SpywareGuard. This is more trouble because, as the canned speech notes, it will automatically restart itself every time you reboot into normal mode, so you will have to do this several times.

Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.

Next, the Swiss Army Knife of malware fighters, Combofix:

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Next let's run a rootkit scan just to make sure there aren't any more of the little buggers lurking.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Post the Combofix and Gmer logs to your next reply. Also post a fresh HijackThis log. Tell me if you had any trouble running the scans, and how the computer is running now.

Good luck,

Dave

#7 goblue1

goblue1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 06 June 2007 - 05:32 PM

Hi Dave, thanks again for all your help.

Sorry for the delay getting back to you, my ISP was out for 17 hrs. What a scare, thought it was my computer for 2 hrs, was ready to relaod Windows until I called ISP and found out it was them.

Anyhow, my computer has been running good, no CPU spikes or BSOD.

Had to download Combofix from another BleepingComputer site, your link did not work for me, hope this is the right version for you:

"Randy" - 2007-06-06 14:42:12 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Randy\Desktop\"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\windev-peers.ini


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINCOM32


((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-05 06:05 <DIR> d-------- C:\Program Files\Resource KitTools
2007-06-04 13:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-04 13:10 <DIR> d-------- C:\DOCUME~1\Randy\APPLIC~1\SUPERAntiSpyware.com
2007-06-04 13:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-04 13:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-31 13:58 139,264 --a------ C:\WINDOWS\system32\igfxres.dll
2007-05-30 19:18 <DIR> d-------- C:\Program Files\Support Tools
2007-05-30 11:21 <DIR> d-------- C:\DOCUME~1\Randy\APPLIC~1\Help
2007-05-27 16:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-27 08:52 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-27 08:47 778,240 ---h----- C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-05-27 08:47 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-05-27 08:47 <DIR> d--h----- C:\Program Files\msn gaming zone
2007-05-27 08:43 <DIR> d--h----- C:\Program Files\Messenger
2007-05-27 08:33 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-05-27 08:33 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-05-26 17:46 <DIR> d-------- C:\WINDOWS\pss
2007-05-26 09:06 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2007-05-26 09:06 86,016 --a------ C:\WINDOWS\system32\preflib.dll
2007-05-26 09:06 770,048 --a------ C:\WINDOWS\system32\BCMLogon.dll
2007-05-26 09:06 757,760 --a------ C:\WINDOWS\system32\bcm1xsup.dll
2007-05-26 09:06 69,632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll
2007-05-26 09:06 44,032 --a------ C:\WINDOWS\system32\wltrynt.dll
2007-05-26 09:06 33,664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS
2007-05-26 09:06 253,952 --a------ C:\WINDOWS\system32\bcmwlu00.exe
2007-05-26 09:06 20,480 --a------ C:\WINDOWS\system32\WLTRYSVC.EXE
2007-05-26 09:06 2,129,920 --a------ C:\WINDOWS\system32\WLBCGCBPRO731.DLL
2007-05-26 09:06 1,392,640 --a------ C:\WINDOWS\system32\WLTRAY.EXE
2007-05-26 09:06 1,253,376 --a------ C:\WINDOWS\system32\BCMWLTRY.EXE
2007-05-26 09:06 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-05-26 09:06 <DIR> d-------- C:\Program Files\Dell
2007-05-15 16:03 73,728 -ra------ C:\WINDOWS\system32\CNMCP50.exe
2007-05-15 16:03 5,632 --a------ C:\WINDOWS\system32\CNMVS50.DLL
2007-05-15 16:03 100,352 --a------ C:\WINDOWS\system32\CNMLM50.DLL
2007-05-15 16:03 <DIR> d--h----- C:\BJPrinter
2007-05-15 16:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-05-15 14:06 <DIR> d-------- C:\Program Files\CONEXANT
2007-05-15 14:05 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2007-05-15 14:05 705,408 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2007-05-15 14:05 42,858 --a------ C:\WINDOWS\system32\hsfci014.dll
2007-05-15 14:05 208,384 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys
2007-05-15 14:05 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-05-15 14:05 1,033,728 --a------ C:\WINDOWS\system32\drivers\HSF_DPV.SYS
2007-05-15 14:02 4,272 --a------ C:\WINDOWS\system32\drivers\bvrp_pci.sys
2007-05-15 14:00 <DIR> d-------- C:\Program Files\Modem Helper
2007-05-15 13:44 <DIR> d-------- C:\DOCUME~1\Randy\MSFax
2007-05-15 13:34 81,920 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-05-15 13:34 49,152 --a------ C:\WINDOWS\system32\uninscpw.exe
2007-05-15 13:34 221,184 --a------ C:\WINDOWS\system32\cpwsave.exe
2007-05-15 13:34 <DIR> d-------- C:\Program Files\Acro Software
2007-05-15 13:30 <DIR> dr------- C:\Program Files\GNUGS
2007-05-15 13:21 17,792 --a------ C:\WINDOWS\system32\drivers\fanio.sys
2007-05-15 10:12 28,672 --a------ C:\WINDOWS\MDFolder.exe
2007-05-14 16:33 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2007-05-14 13:51 <DIR> d-------- C:\Program Files\Cookie Jar
2007-05-14 13:42 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-14 13:17 <DIR> d-------- C:\Program Files\SpywareGuard
2007-05-14 13:11 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-05-14 13:11 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-14 12:52 <DIR> d-------- C:\Program Files\Spybot
2007-05-14 12:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-14 12:46 <DIR> d-------- C:\DOCUME~1\Randy\APPLIC~1\Lavasoft
2007-05-14 12:37 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-05-14 12:37 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2007-05-14 12:02 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-05-14 10:27 <DIR> d-------- C:\Program Files\Alarm++
2007-05-14 07:59 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-05-14 07:59 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-05-14 07:59 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-05-14 07:50 <DIR> dr-h----- C:\MSOCache
2007-05-14 07:33 <DIR> d-------- C:\WINDOWS\system32\unknown
2007-05-13 10:01 <DIR> d-------- C:\Program Files\Google
2007-05-13 10:01 <DIR> d-------- C:\DOCUME~1\Randy\APPLIC~1\Google
2007-05-13 10:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-05-13 09:47 <DIR> d---s---- C:\DOCUME~1\Randy\UserData
2007-05-07 00:51 <DIR> d-------- C:\DOCUME~1\Randy\APPLIC~1\Rainlendar
2007-05-06 07:59 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll
2007-05-06 07:59 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys
2007-05-06 07:59 <DIR> d-------- C:\Program Files\Apoint
2007-05-06 07:51 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-05-06 07:51 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-05-06 07:51 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-05-06 07:51 273,168 --a------ C:\WINDOWS\system32\drivers\STAC97.sys
2007-05-06 07:51 192,512 --a------ C:\WINDOWS\system32\stac97co.dll
2007-05-06 07:51 <DIR> d-------- C:\Program Files\SigmaTel
2007-05-06 05:14 <DIR> dr------- C:\Tempp
2007-05-06 05:14 <DIR> d-------- C:\Teaching
2007-05-06 05:13 <DIR> dr------- C:\Storable Programs
2007-05-06 05:13 <DIR> d-------- C:\Insurance
2007-05-06 05:12 <DIR> dr------- C:\Hobbies
2007-05-06 05:12 <DIR> dr------- C:\Financial
2007-05-06 05:12 <DIR> d-------- C:\Boston Market
2007-05-06 05:12 <DIR> d-------- C:\Accounts
2007-05-06 05:09 <DIR> d-------- C:\Tools
2007-05-06 04:59 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-05-06 04:59 13,632 --a------ C:\WINDOWS\system32\drivers\omci.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 15:45:03 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-15 21:00:16 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-06 14:50:51 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-06 01:11:29 -------- d-----w C:\Program Files\Broadcom
2007-05-06 01:06:03 -------- d-----w C:\DOCUME~1\Randy\APPLIC~1\Intel
2007-05-06 01:04:54 -------- d-----w C:\Program Files\Intel
2007-05-05 17:23:54 -------- d-----w C:\Program Files\Dell TrueMobile 2300
2007-05-05 08:37:37 -------- d--h--w C:\Program Files\microsoft frontpage
2007-05-05 08:37:23 0 --sha-r C:\MSDOS.SYS
2007-05-05 08:37:23 0 --sha-r C:\IO.SYS
2007-05-05 08:37:23 0 ----a-w C:\CONFIG.SYS
2007-05-05 08:37:23 0 ----a-w C:\AUTOEXEC.BAT
2007-05-05 08:35:32 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-05 08:34:31 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-05-05 08:34:20 -------- d--h--w C:\Program Files\Movie Maker
2007-05-05 08:32:29 -------- d-----w C:\Program Files\Windows NT
2007-05-04 19:50:01 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-04 19:49:57 -------- d-----w C:\Program Files\Common Files\SpeechEngines


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 23:24]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\Spybot\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-14 12:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-05-13 10:02]
"POP Peeper"="C:\tools\POP Peeper\POPPeeper.exe" [2006-11-15 21:02]
"i8kfangui"="C:\Tools\I8kfanGUI\I8kfanGUI.exe" [2004-01-24 07:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoWinKeys"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"NoTrayItemsDisplay"=00000000
"NoLowDiskSpaceChecks"=1 (0x1)
"NoSaveSettings"=01000000
"ClearRecentDocsOnExit"=00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Randy^Start Menu^Programs^Startup^Taskbar Activate.lnk]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-05 12:48:02 C:\WINDOWS\tasks\Spybot - S & D.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 14:44:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-06 14:45:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-06 14:44

--- E O F ---


Dave, it also produced this file name C:\ComboFix-quarantined-files.txt

2007-06-05 09:56	  93305	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\windev-peers.ini.vir
2007-06-06 14:42	  1044	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINCOM32.reg.cf


Folder PATH listing
Volume serial number is 04F6-59BD
C:\QOOBOX
\---Quarantine
	+---C
	|   +---avenger
	|   \---WINDOWS
	|	   \---system32
	|			   windev-peers.ini.vir
	|			   
	\---Registry_backups
			LEGACY_WINCOM32.reg.cf


Dave, with GMER I forgot to disconnect from the internet during setup and it restarted.
During the scan I was disconnected.

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-06 15:04:12
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE1085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE1085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE1085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE1085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE1085A] avgtdi.sys

---- EOF - GMER 1.0.12 ----

Dave, looks like AVG was running. Hope this is okay.

Logfile of HijackThis v1.99.1
Scan saved at 3:21:32 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\tools\POP Peeper\POPPeeper.exe
C:\Tools\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Tools\Calender\Rainlendar.exe
C:\Tools\CLCL\CLCL.exe
C:\Program Files\Apoint\HidFind.exe
C:\Tools\Taskbar Activate\TaskbarActivate.exe
C:\Program Files\Apoint\Apntex.exe
C:\Tools\ZClock\ZClock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\tools\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [i8kfangui] C:\Tools\I8kfanGUI\I8kfanGUI.exe /startup
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Calendar.lnk = C:\Tools\Calender\Rainlendar.exe
O4 - Startup: Clipboard CLCL.lnk = C:\Tools\CLCL\CLCL.exe
O4 - Startup: Taskbar Activate.lnk = C:\Tools\Taskbar Activate\TaskbarActivate.exe
O4 - Startup: ZClock.lnk = C:\Tools\ZClock\ZClock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by129fd.bay129.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

Did not have any trouble running the scans.

Again, computer is running good but, for a few hours before doing the above the computer did not have spikes, just like before when I told you for about a day a few days ago I did not have problems. It's like these bugs I have come and go. Whata ya think, are they gone for good.

THANK YOU SO MUCH.

#8 goblue1

goblue1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 06 June 2007 - 05:59 PM

Dave,

After doing your scans and replying to you. I cleaned and optimized my registry. When I restarted SP2 firewall was disabled. I then started it an saw that the service Internet Connection Sharing was set to Manual. I put this to Automatic. Hopefully, nothing bad infected/reinfected during this time and when I restart/start the firewall will be there automatically. I'll restart again and let you know if this happens again.

Also, this is minor, but do you know why Windows Explorer does not remember being opened expanded to full screen. It used to be if I expanded Explorer to full screen and closed it, the next time I opened it, it would open full. It doesn't seem to remember. I'm not talking about the maximize button, just stretching the Explorer window to full screen.

#9 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:21 AM

Posted 06 June 2007 - 09:16 PM

Hi again goblue1,

Again, computer is running good but, for a few hours before doing the above the computer did not have spikes


Actually, I would have expected the spikes to stop once you had run Superantispyware. Combofix picked up a few leftovers, but SAS had already deleted the core file and registry entries.

Scans look good. That is the shortest Gmer log I have ever seen. Combofix log was pretty long, but that's because you installed the system less than a month ago.

Sorry about that broken link for Combofix. That was a canned speech from our Library here at BC, however, I should have checked it myself before posting, and I bear the ultimate responsibility.

Please be careful about use registry cleaners. Many times they do more harm than good. I used to run one every month, but since I went into training here at BC and began to learn a bit more about Windows, I no longer trust an automated tool to make decisions about what is superfluous or erroneous in the registry.

During the time when your XP firewall was disabled, was your computer connected to the internet through your Dell router? If so, probably your machine is fine. However, just to make sure, let's run an online scan.

First go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

After you have run Kaspersky, run a fresh HijackThis scan and post that log, as well as the Kaspersky log, to a reply here.

I will do some research about your problem with Explorer.

Dave

#10 goblue1

goblue1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 06 June 2007 - 10:20 PM

Dave,

I fixed Explorer with a registry fix for Save User Settings. Actually, after running SAS in safe mode, I ran it again in normal mode because that was where it gave me 6 BSODs in a role. In normal mode it found and deleted Windev again. No BSOD. Do you think this was just leftovers also?

Will run the scans and post. Computer running good.

Thanks so much,
Randy

#11 goblue1

goblue1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 06 June 2007 - 11:01 PM

Dave, here are the scans;

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 06, 2007 8:54:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/06/2007
Kaspersky Anti-Virus database records: 341051
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 20514
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 00:24:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Randy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\History\History.IE5\MSHist012007060620070607\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\fla2.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\hsperfdata_Randy\3816 Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\Temporary Internet Files\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DF6CA3.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DFCD3C.tmp Object is locked skipped
C:\Documents and Settings\Randy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Randy\ntuser.dat.LOG Object is locked skipped
C:\Storable Programs\Tool's\Revelation.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Storable Programs\Tool's\Revelation.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Storable Programs\Tool's\Revelation.exe WiseSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9F54F0E9-404D-4C86-831A-B03C0BBF77F9}\RP16\A0024150.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\System Volume Information\_restore{9F54F0E9-404D-4C86-831A-B03C0BBF77F9}\RP16\A0024150.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\System Volume Information\_restore{9F54F0E9-404D-4C86-831A-B03C0BBF77F9}\RP16\A0024150.exe WiseSFX: infected - 2 skipped
C:\System Volume Information\_restore{9F54F0E9-404D-4C86-831A-B03C0BBF77F9}\RP18\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 8:56:47 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\tools\POP Peeper\POPPeeper.exe
C:\Tools\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Tools\Calender\Rainlendar.exe
C:\Tools\CLCL\CLCL.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Tools\Taskbar Activate\TaskbarActivate.exe
C:\Tools\ZClock\ZClock.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\tools\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [i8kfangui] C:\Tools\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Calendar.lnk = C:\Tools\Calender\Rainlendar.exe
O4 - Startup: Clipboard CLCL.lnk = C:\Tools\CLCL\CLCL.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Taskbar Activate.lnk = C:\Tools\Taskbar Activate\TaskbarActivate.exe
O4 - Startup: ZClock.lnk = C:\Tools\ZClock\ZClock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by129fd.bay129.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

#12 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:21 AM

Posted 07 June 2007 - 06:25 AM

Hi goblue1,

Kaspersky found Snadboy (revelation.exe) which is a hack tool to reveal passwords in fields which normally display asterisks instead of the actual characters. Potentially useful but it also carries the potential for abuse, which is why Kaspersky flagged it.

Did you download this tool deliberately? It does not appear to be installed.

Otherwise everything looks clean. How's the computer running?

Dave

#13 goblue1

goblue1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 07 June 2007 - 07:51 AM

Hi Dave,

I downloaded Revelation a few years ago, used it a few times, don't have it installed now, haven't needed it.

Machine is running good.

Is this topic going to be open for a few days in case something pops up.

THANK YOU SO MUCH
Randy

#14 goblue1

goblue1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 07 June 2007 - 08:09 AM

Dave,

I am looking at firewalls. Is Outpost FREE equal to Spygate?

Thanks,
Randy

#15 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:21 AM

Posted 07 June 2007 - 09:22 AM

Hi Randy,

I have a slight preference for Outpost free but it is really down to user preference. I suggest downloading Oupost and installing it, if you hate the interface or find it hard to set up, try one of the others on the list. BTW in this topic there are links to a couple of others, recommended by longtime BC experts (Comodo and Jetico, neither of which I have tried).

I don't think you need to delete Revelation just because Kaspersky and other AVs flag it. If you know how to use it and know what it's for, then it's up to you. The scanners flag any suspicious program, so in our canned speeches we will sometimes say "If your AV warns you about xxx.exe, allow it to run." They don't know the difference between proper and improper use of these tools and techniques, which are used both by spyware and by antispyware tools.

I will leave this topic open for a while as you wish. Fact is, we're not quite finished -- there's some final cleanup I want you to do, but I can't post the instructions right now. I'm at work and I left my thumb drive with all my canned speeches at home this morning. So I'll have to post again this evening.

Cheers,

Dave

Edit: forgot to respond to your earlier post. Could you please post the SAS log from your most recent scan -- the one you did in normal mode?

Edited by DaveM59, 07 June 2007 - 09:34 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users