Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help I Am Infected


  • This topic is locked This topic is locked
23 replies to this topic

#1 rc11982

rc11982

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 03 June 2007 - 07:57 PM

I have scaned my computer and it finds nothing put the pop ups and keep coming when I am not online. He is My Hijabk this log


Logfile of HijackThis v1.99.1
Scan saved at 5:46:08 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
c:\program files\softwin\bitdefender10\bdmcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\dumprep.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {1A1D1FAD-CD3B-4639-A1BE-9F999B2A3525} - C:\WINDOWS\system32\pmnkh.dll (file missing)
O2 - BHO: (no name) - {34EAA210-4383-3D0B-A34A-1BE34891F2C8} - C:\WINDOWS\system32\kmfvt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: 0 - {A6BFFBF9-5874-464E-38AD-EE2A69B33E28} - C:\Program Files\ComPlus Applications\wogu351.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {b9bec770-1f56-4b88-bd2d-57de78969722} - C:\WINDOWS\system32\IPXcui.dll
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\DOCUME~1\Teacher\LOCALS~1\Temp\tmp5.tmp.dll
O2 - BHO: (no name) - {E75C436C-A4FD-892A-D90D-FFADAC9721C3} - C:\WINDOWS\system32\qcpi.dll (file missing)
O2 - BHO: (no name) - {F22DD09B-4C45-4FB2-B355-1FC830833D11} - C:\WINDOWS\system32\urspn.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\hgdayy.dll",realset
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/2007/down...g=en&cnt=us
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pesd.ad
O17 - HKLM\Software\..\Telephony: DomainName = pesd.ad
O17 - HKLM\System\CCS\Services\Tcpip\..\{B385A62F-D436-435B-8473-8EC04A06F93A}: NameServer = 86.64.145.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{E654E750-2A9C-481C-AEF4-8FAFAA134E45}: NameServer = 86.64.145.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pesd.ad
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IPXcui - C:\WINDOWS\SYSTEM32\IPXcui.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: pmnkh - C:\WINDOWS\system32\pmnkh.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwem32 - winwem32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: zWmUVVm - {244D4C97-8EE7-E63D-517C-01DE5BBCA91D} - C:\WINDOWS\system32\uvv.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


m

#2 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 03 June 2007 - 08:17 PM

Hi -

Welcome to BleepingComputer! I am currently reviewing your log and will post instructions for you shortly.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 03 June 2007 - 09:15 PM

Hi -

You have several backdoor infections on your system. Do NOT conduct any online transactions such as banking, purchases, etc. until we have finished. In the interim, I strongly suggest that you change your passwords at sensitive sites from a computer you know that is not infected.

Please follow the directions in the order stated.
You will need to print these instructions because you will be working in Safe Mode without an Internet connection.

• Go to Start > Run > type: sc delete Net Agent > click OK

• Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

• Open HijackThis, click Open the Misc Toos section, then click Delete a file on bootup
- a window will open
- Where it says "File Name" - copy and paste: C:\Windows\System32\winskt32.dll
- Click Open
- A prompt will appear advising you that the file will be deleted and asking if you want to reboot now
- Click Yes
- Your computer will now reboot.

• Reboot into SAFE MODE
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {1A1D1FAD-CD3B-4639-A1BE-9F999B2A3525} - C:\WINDOWS\system32\pmnkh.dll (file missing)
O2 - BHO: (no name) - {34EAA210-4383-3D0B-A34A-1BE34891F2C8} - C:\WINDOWS\system32\kmfvt.dll (file missing)
O2 - BHO: 0 - {A6BFFBF9-5874-464E-38AD-EE2A69B33E28} - C:\Program Files\ComPlus Applications\wogu351.dll (file missing)
O2 - BHO: (no name) - {E75C436C-A4FD-892A-D90D-FFADAC9721C3} - C:\WINDOWS\system32\qcpi.dll (file missing)
O2 - BHO: (no name) - {F22DD09B-4C45-4FB2-B355-1FC830833D11} - C:\WINDOWS\system32\urspn.dll (file missing)
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/2007/down...g=en&cnt=us
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pesd.ad
O17 - HKLM\Software\..\Telephony: DomainName = pesd.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pesd.ad
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: pmnkh - C:\WINDOWS\system32\pmnkh.dll (file missing)
O20 - Winlogon Notify: winwem32 - winwem32.dll (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

• Navigate to and delete the following folder if present:
C:\WINDOWS\system32\wsnpoem

• Navigate to and delete the following files if present:
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\rjx.exe
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll

• Reboot into NORMAL MODE

Please download Combofix from one of the following links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
- and save to the Desktop.

1. Double click on combo.exe and follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouse-click combofix's window while it is running. That may cause your system to stall/hang.

• Post back with the ComboFix.txt log and a new HijackThis log.

Edited by waterfalls, 04 June 2007 - 01:37 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#4 rc11982

rc11982
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 04 June 2007 - 11:06 AM

Thank you I will post my new log soon as I get home and thank you again.

#5 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 04 June 2007 - 01:38 PM

Okay. :thumbsup:
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#6 rc11982

rc11982
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 06 June 2007 - 02:19 AM

Thanks for your help here is my combo fix report and hijack this



Start Time= Wed 06/06/2007 0:10:16.39

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-06-04 07:34:00 14390 ( A.... ) "C:\sysklid.exe"
2007-06-03 18:00:12 39124 ( A.... ) "C:\WINDOWS\SYSTEM32\tmp166F.tmp.dll"
2007-06-03 17:58:30 14390 ( A.... ) "C:\sysagni.exe"
2007-06-03 17:47:30 106611 ( A.... ) "C:\WINDOWS\qonoll.dll"
2007-06-03 01:41:04 913408 ( A.... ) "C:\WINDOWS\SYSTEM32\xreglib.dll"
2007-06-03 01:21:26 ( .D... ) "C:\Documents and Settings\Teacher\Application Data\Bitdefender"
2007-06-03 00:50:44 ( .D... ) "C:\Program Files\Softwin"
2007-06-03 00:50:12 ( .D... ) "C:\Program Files\Common Files\Softwin"
2007-06-02 18:25:38 18944 ( A.... ) "C:\WINDOWS\SYSTEM32\KB11505076.exe"
2007-06-02 18:03:30 77312 ( A.... ) "C:\WINDOWS\ua2.dll"
2007-06-02 17:23:42 39124 ( A.... ) "C:\WINDOWS\SYSTEM32\tmp5.tmp.dll"
2007-06-02 14:20:06 2198 ( A.... ) "C:\WINDOWS\SYSTEM32\tmp.reg"
2007-06-02 10:50:22 ( .D... ) "C:\Program Files\utorrent"
2007-06-02 10:50:22 ( .D... ) "C:\Documents and Settings\Teacher\Application Data\uTorrent"
2007-06-02 10:43:58 13369 ( A.... ) "C:\WINDOWS\SYSTEM32\a3dx8.dll"
2007-05-31 22:38:04 ( .D... ) "C:\Program Files\WebCyberCoach"
2007-05-31 18:14:42 39073 ( A.... ) "C:\WINDOWS\SYSTEM32\tmp3.tmp.dll"
2007-05-28 02:24:18 38115 ( A.... ) "C:\WINDOWS\SYSTEM32\tmp6.tmp.dll"
2007-05-28 02:21:10 36864 ( A.... ) "C:\WINDOWS\SYSTEM32\Explorer.exe"
2007-05-26 15:20:10 ( .D... ) "C:\Program Files\Hijackthis"
2007-05-26 10:16:24 ( .D... ) "C:\Program Files\GRISOFT"
2007-05-22 19:18:46 ( .D... ) "C:\Program Files\msn gaming zone"
2007-05-22 18:05:22 ( .D... ) "C:\Program Files\Common Files\s?curity"
2007-05-22 07:12:30 1488688 ( A.... ) "C:\WINDOWS\SYSTEM32\LegitCheckControl.dll"
2007-05-22 07:12:28 310784 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaTray.exe"
2007-05-22 07:12:22 183808 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2007-05-18 23:11:36 930 ( A.... ) "C:\WINDOWS\SYSTEM32\winpfz32.sys"
2007-05-18 23:11:36 930 ( A.... ) "C:\WINDOWS\SYSTEM32\winpfz32.sys"
2007-05-18 22:34:16 8464 ( A.... ) "C:\WINDOWS\SYSTEM32\sporder.dll"
2007-05-18 22:34:04 16 ( A.... ) "C:\Documents and Settings\Teacher\Application Data\.rdr.ini"
2007-05-18 22:33:28 34816 ( A.... ) "C:\WINDOWS\rau001978.exe"
2007-05-18 22:32:48 14390 ( A.... ) "C:\sysselg.exe"
2007-05-18 00:27:04 ( .D... ) "C:\Program Files\CONEXANT"
2007-05-13 02:30:56 ( .D... ) "C:\Program Files\SUPERAntiSpyware"
2007-05-13 02:30:56 ( .D... ) "C:\Documents and Settings\Teacher\Application Data\SUPERAntiSpyware.com"
2007-05-13 02:24:00 ( .D... ) "C:\Program Files\Combined Community Codec Pack"
2007-05-12 15:40:26 ( .D... ) "C:\Program Files\Common Files\??crosoft.NET"
2007-05-12 00:41:24 ( .D... ) "C:\Documents and Settings\Teacher\Application Data\Lavasoft"
2007-05-12 00:40:34 ( .D... ) "C:\Program Files\Lavasoft"
2007-04-28 10:15:08 ( .D... ) "C:\Documents and Settings\Teacher\Application Data\Adobe"
2007-04-28 09:47:42 ( .D... ) "C:\Program Files\Common Files\Adobe"
2007-04-27 17:52:32 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2007-04-27 17:24:18 ( .D... ) "C:\Documents and Settings\Teacher\Application Data\SpywareBot"
2007-04-27 14:00:12 209526 ( A.... ) "C:\WINDOWS\SYSTEM32\dvvaquhf.exe"
2007-04-18 21:15:10 25905 ( A.... ) "C:\WINDOWS\SYSTEM32\fcyaa.exe"
2007-04-18 21:15:10 19098 ( A.... ) "C:\WINDOWS\SYSTEM32\IPXcui.dll"
2007-04-03 13:48:52 13511640 ( A.... ) "C:\WINDOWS\SYSTEM32\MRT.exe"
2007-03-09 03:02:32 115200 ( A.... ) "C:\WINDOWS\SYSTEM32\xpsp3res.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"AClntUsr"="C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"
"Synchronization Manager"="%SystemRoot%\\system32\\mobsync.exe /logon"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg"
"BDAgent"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\""
"setup"="rundll32.exe \"C:\\WINDOWS\\qonoll.dll\",realset"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"userinit"="C:\\WINDOWS\\system32\\ntos.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"userinit"="C:\\WINDOWS\\system32\\ntos.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"userinit"="C:\\WINDOWS\\system32\\ntos.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{0DF6591C-2E4D-47DE-B358-BDEFA79D7C55}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vexg6ame4"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\vexg6ame4.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DefWatch"=dword:00000002


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

Completion time: Wed 06/06/2007 0:11:31.75
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt



Logfile of HijackThis v1.99.1
Scan saved at 12:14:12 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {b9bec770-1f56-4b88-bd2d-57de78969722} - C:\WINDOWS\system32\IPXcui.dll
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINDOWS\system32\tmp166F.tmp.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\qonoll.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pesd.ad
O17 - HKLM\Software\..\Telephony: DomainName = pesd.ad
O17 - HKLM\System\CCS\Services\Tcpip\..\{E654E750-2A9C-481C-AEF4-8FAFAA134E45}: NameServer = 86.64.145.144
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IPXcui - C:\WINDOWS\SYSTEM32\IPXcui.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: zWmUVVm - {244D4C97-8EE7-E63D-517C-01DE5BBCA91D} - C:\WINDOWS\system32\uvv.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

thank you again for eveything

#7 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 06 June 2007 - 03:03 PM

Hi -

You're welcome, but we still have work to do. Please follow these instructions in the order stated.
You will need to print or copy these instructions because you will be working in Safe Mode without an Internet connection.

Uninstall the following programs if present
- Go to Start > Control Panel > Add/Remove Programs
- Select the following, one at a time, and click Remove for each one
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN

- or anything similar with OIN in it.

If OIN is not listed, download and run this uninstaller
http://www.outerinfo.com/OiUninstaller.exe

Reboot when done! Really important!

Navigate to and delete the following folders if present:
C:\Program Files\Oin
C:\Program Files\Yazzle by Oin
C:\Program Files\Purityscan by Oin
C:\Program Files\Snowballwars by Oin
C:\Program Files\Cowabanga by OIN
- or any other folder in Program Files with Oin in it.

Please download VundoFix.exe and save it to your Desktop.
- Double-click VundoFix.exe to run it
- Click the Scan for Vundo button
- Once it is done scanning, click the Remove Vundo button
- You will receive a prompt asking if you want to remove the files
- Click YES
- Once you click YES, your Desktop will go blank as it starts removing Vundo
- When completed, it will prompt that it will reboot your computer
- Click OK

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, so simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Once VundoFix has completed scanning, please do NOT run it again.
If you run it more than one time, you will overwrite the original log (vundofix.txt) generated when it was run the first time.

Download SDFix and save it to your Desktop.
Do NOT perform a scan yet.

Download and install AVG Anti-Spyware 7.5.
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done
Do NOT perform a scan yet.

Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Navigate to and delete the following folders:
C:\Program Files\Common Files\s?curity (this will look like security)
C:\Program Files\Common Files\??crosoft.NET (this will look like microsoft)

Scan with AVG Anti-Spyware as follows:
1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken" making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions?" button.

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

Run SDFix
- In Safe Mode, choose your usual account
- Right-click the SDFix.zip folder and choose Extract All
- Open the extracted folder and double click RunThis.bat to start the script.
- Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool will be running and removing files.
- When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply.

Post back with the Vundofix.txt, the AVG Antispyware log, the Report.txt and a new HijackThis log. You may have to break these up into two replies.

Edited by waterfalls, 06 June 2007 - 03:23 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#8 rc11982

rc11982
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 09 June 2007 - 01:49 AM

here are the logs


SDFix: Version 1.87

Run by Teacher - Fri 06/08/2007 - 23:25:11.15

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Teacher\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
Driver

ImagePath:
\??\C:\WINDOWS\system32\spoolsvv.sys


Killing PID 160 'smss.exe'
Killing PID 232 'winlogon.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\RunOnce2.t__ - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\wr.txt - Deleted


Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
:lzx32.sys 71608
Total size: 71608 bytes.

system32: deleted 71608 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"="C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe:*:Enabled:Ad-Aware SE Personal"
"C:\\Program Files\\GRISOFT\\AVG Anti-Rootkit Free\\avgarkt.exe"="C:\\Program Files\\GRISOFT\\AVG Anti-Rootkit Free\\avgarkt.exe:*:Enabled:AVG Anti-Rootkit Free"
"C:\\Program Files\\GRISOFT\\AVG Anti-Spyware 7.5\\avgas.exe"="C:\\Program Files\\GRISOFT\\AVG Anti-Spyware 7.5\\avgas.exe:*:Enabled:AVG Anti-Spyware"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"="C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service"
"C:\\WINDOWS\\Temp\\hd5.tmp"="C:\\WINDOWS\\Temp\\hd5.tmp:*:Enabled:enable"
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:Torrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Teacher\Desktop\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\WINDOWS\Help\unole.dll
C:\Program Files\Ahead\Nero PhotoShow\data\Nero PhotoShow Elite.exe
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\WINDOWS\SYSTEM32\npsru.tmp
C:\WINDOWS\SYSTEM32\CONFIG\default.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\software.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\system.tmp.LOG

Listing User Accounts:

User accounts for \\TECHMENTOR5

Administrator Guest HelpAssistant
IUSR_TECHMENTOR5 IWAM_TECHMENTOR5 Student
SUPPORT_388945a0 SUPPORT_3f151ab9 Teacher


Finished


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:20:44 PM 6/8/2007

+ Scan result:



HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Teacher\Cookies\teacher@marthastewart.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@arn.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@pan.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@prizeamerica.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@ehg-kasperskylab.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Teacher\Cookies\teacher@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

#9 rc11982

rc11982
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 09 June 2007 - 01:54 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:49:01 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {b9bec770-1f56-4b88-bd2d-57de78969722} - C:\WINDOWS\system32\IPXcui.dll
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINDOWS\system32\tmp166F.tmp.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pesd.ad
O17 - HKLM\Software\..\Telephony: DomainName = pesd.ad
O17 - HKLM\System\CCS\Services\Tcpip\..\{E654E750-2A9C-481C-AEF4-8FAFAA134E45}: NameServer = 86.64.145.144
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IPXcui - C:\WINDOWS\SYSTEM32\IPXcui.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: zWmUVVm - {244D4C97-8EE7-E63D-517C-01DE5BBCA91D} - C:\WINDOWS\system32\uvv.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 2:09:13 PM 5/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\hknmp.bak1
C:\WINDOWS\system32\hknmp.bak2
C:\WINDOWS\system32\hknmp.ini
C:\WINDOWS\system32\jpvjxhky.dll
C:\WINDOWS\SYSTEM32\mljhfde.dll
C:\WINDOWS\SYSTEM32\pbsfldxn.dll
C:\WINDOWS\system32\pmnkh.dll
C:\WINDOWS\system32\urspn.dll
C:\WINDOWS\SYSTEM32\utlwiebx.dll
C:\WINDOWS\SYSTEM32\ykhxjvpj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hknmp.bak1
C:\WINDOWS\system32\hknmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hknmp.bak2
C:\WINDOWS\system32\hknmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hknmp.ini
C:\WINDOWS\system32\hknmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jpvjxhky.dll
C:\WINDOWS\system32\jpvjxhky.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\mljhfde.dll
C:\WINDOWS\SYSTEM32\mljhfde.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\pbsfldxn.dll
C:\WINDOWS\SYSTEM32\pbsfldxn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urspn.dll
C:\WINDOWS\system32\urspn.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\utlwiebx.dll
C:\WINDOWS\SYSTEM32\utlwiebx.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ykhxjvpj.ini
C:\WINDOWS\SYSTEM32\ykhxjvpj.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\mljhfde.dll
C:\WINDOWS\SYSTEM32\mljhfde.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 11:48:20 PM 6/7/2007

Listing files found while scanning....

C:\WINDOWS\llonoq.ini
C:\WINDOWS\qonoll.dll

Beginning removal...

Attempting to delete C:\WINDOWS\llonoq.ini
C:\WINDOWS\llonoq.ini Has been deleted!

Attempting to delete C:\WINDOWS\qonoll.dll
C:\WINDOWS\qonoll.dll Has been deleted!

Performing Repairs to the registry.
Done!

#10 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 09 June 2007 - 03:52 PM

Hi -

The ComboFix version you ran is EXTREMELY outdated. Go ahead and delete it. Then, download the newest version of ComboFix from either:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
- and save it to the Desktop.

1. Double click on combo.exe and follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouse-click combofix's window while it is running. That may cause your system to stall/hang.

Post back with the ComboFix.txt log and a new HijackThis log.

Also, in two of your O17 entries, do you recognize the domain pesd.ad?
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 rc11982

rc11982
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 12 June 2007 - 09:08 AM

ComboFix 07-06-11.3
"Teacher" - 2007-06-12 6:37:59 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dvvaquhf.exe
C:\WINDOWS\SYSTEM32\npsru.bak1
C:\WINDOWS\SYSTEM32\npsru.ini
C:\WINDOWS\SYSTEM32\npsru.ini2
C:\WINDOWS\SYSTEM32\npsru.tmp
C:\WINDOWS\SYSTEM32\npsru.bak1
C:\WINDOWS\SYSTEM32\npsru.ini
C:\WINDOWS\SYSTEM32\npsru.ini2
C:\WINDOWS\SYSTEM32\npsru.tmp
C:\WINDOWS\system32\IPXcui.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *




((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dvvaquhf.exe
C:\WINDOWS\SYSTEM32\npsru.bak1
C:\WINDOWS\SYSTEM32\npsru.ini
C:\WINDOWS\SYSTEM32\npsru.ini2
C:\WINDOWS\SYSTEM32\npsru.tmp
C:\WINDOWS\SYSTEM32\npsru.bak1
C:\WINDOWS\SYSTEM32\npsru.ini
C:\WINDOWS\SYSTEM32\npsru.ini2
C:\WINDOWS\SYSTEM32\npsru.tmp
C:\WINDOWS\system32\IPXcui.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *




((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Teacher\APPLIC~1.\.rdr.ini
C:\DOCUME~1\Teacher\APPLIC~1.\crosof~1.net
C:\DOCUME~1\Teacher\APPLIC~1\Microsoft\20509.dat
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\{244D4~1
C:\Program Files\Common Files\{344D4~1
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\Help\ntp2.ini
C:\WINDOWS\icroso~1
C:\WINDOWS\rau001978.exe
C:\WINDOWS\sembly~1
C:\WINDOWS\system32\a3dx8.dll
C:\WINDOWS\system32\KB11505076.exe
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\tmp166F.tmp.dll
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32RunOnce2.t__
C:\WINDOWS\system32RunOnce2.tm_


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NET_AGENT
-------\Net Agent
-------\RpcApi


((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))


2007-06-12 06:37 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-12 06:37 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 22:11 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-06-08 22:11 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-06-04 07:33 14,390 --a------ C:\sysklid.exe
2007-06-04 07:33 14,390 --a------ C:\sysklid.exe
2007-06-03 17:58 14,390 --a------ C:\sysagni.exe
2007-06-03 17:58 14,390 --a------ C:\sysagni.exe
2007-06-03 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-06-03 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-06-03 01:25 81,984 --a------ C:\WINDOWS\SYSTEM32\bdod.bin
2007-06-03 01:25 81,984 --a------ C:\WINDOWS\SYSTEM32\bdod.bin
2007-06-03 01:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-06-03 01:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-06-03 01:21 <DIR> d-------- C:\DOCUME~1\Teacher\APPLIC~1\Bitdefender
2007-06-03 01:21 <DIR> d-------- C:\DOCUME~1\Teacher\APPLIC~1\Bitdefender
2007-06-03 00:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-06-03 00:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-06-02 21:11 <DIR> d-------- C:\spoolerlogs
2007-06-02 21:11 <DIR> d-------- C:\spoolerlogs
2007-06-02 21:05 512 --a------ C:\ScanSectorLog.dat
2007-06-02 21:05 512 --a------ C:\ScanSectorLog.dat
2007-06-02 20:58 6,688 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2007-06-02 20:58 6,688 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2007-06-02 20:58 1,707,808 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-06-02 20:58 1,707,808 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-06-02 20:49 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-06-02 20:49 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-06-02 20:47 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-02 11:58 2,198 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-02 11:58 2,198 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-02 10:50 <DIR> d-------- C:\Program Files\utorrent
2007-06-02 10:50 <DIR> d-------- C:\Program Files\utorrent
2007-06-02 10:50 <DIR> d-------- C:\DOCUME~1\Teacher\APPLIC~1\uTorrent
2007-06-02 10:50 <DIR> d-------- C:\DOCUME~1\Teacher\APPLIC~1\uTorrent
2007-05-31 23:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-05-31 23:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-05-31 22:38 <DIR> d-------- C:\Program Files\WebCyberCoach
2007-05-31 22:38 <DIR> d-------- C:\Program Files\WebCyberCoach
2007-05-31 22:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Dell
2007-05-31 22:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Dell
2007-05-31 17:58 <DIR> d-------- C:\WINDOWS\pss
2007-05-31 17:51 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2007-05-31 17:51 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2007-05-30 23:40 98,938 --------- C:\WINDOWS\SYSTEM32\ialmkchw.sys
2007-05-30 23:40 98,938 --------- C:\WINDOWS\SYSTEM32\ialmkchw.sys
2007-05-30 23:40 65,536 --------- C:\WINDOWS\SYSTEM32\ialmcoin.dll
2007-05-30 23:40 65,536 --------- C:\WINDOWS\SYSTEM32\ialmcoin.dll
2007-05-30 23:40 46,647 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a304.sys
2007-05-30 23:40 46,647 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a304.sys
2007-05-30 23:40 37,431 --------- C:\WINDOWS\SYSTEM32\a313.sys
2007-05-30 23:40 37,431 --------- C:\WINDOWS\SYSTEM32\a313.sys
2007-05-30 23:40 33,847 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wa301b.sys
2007-05-30 23:40 33,847 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wa301a.sys
2007-05-30 23:40 33,847 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wa301a.sys
2007-05-30 23:40 33,335 --------- C:\WINDOWS\SYSTEM32\a311.sys
2007-05-30 23:40 33,335 --------- C:\WINDOWS\SYSTEM32\a311.sys
2007-05-30 23:40 33,335 --------- C:\WINDOWS\SYSTEM32\a310.sys
2007-05-30 23:40 33,335 --------- C:\WINDOWS\SYSTEM32\a310.sys
2007-05-30 23:40 29,751 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a303.sys
2007-05-30 23:40 29,751 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a303.sys
2007-05-30 23:40 26,167 --------- C:\WINDOWS\SYSTEM32\a309.sys
2007-05-30 23:40 26,167 --------- C:\WINDOWS\SYSTEM32\a309.sys
2007-05-30 23:40 21,559 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a307.sys
2007-05-30 23:40 21,559 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a307.sys
2007-05-30 23:40 21,045 --------- C:\WINDOWS\SYSTEM32\DRIVERS\Vch.sys
2007-05-30 23:40 21,045 --------- C:\WINDOWS\SYSTEM32\DRIVERS\Vch.sys
2007-05-30 23:40 16,951 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a306.sys
2007-05-30 23:40 16,951 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a306.sys
2007-05-30 23:40 120,830 --------- C:\WINDOWS\SYSTEM32\ialmsbw.sys
2007-05-30 23:40 120,830 --------- C:\WINDOWS\SYSTEM32\ialmsbw.sys
2007-05-30 23:40 12,855 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a305.sys
2007-05-30 23:40 12,855 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a305.sys
2007-05-30 23:40 11,831 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a302.sys
2007-05-30 23:40 11,831 --------- C:\WINDOWS\SYSTEM32\DRIVERS\a302.sys
2007-05-30 23:40 11,319 --------- C:\WINDOWS\SYSTEM32\a314.sys
2007-05-30 23:40 11,319 --------- C:\WINDOWS\SYSTEM32\a314.sys
2007-05-30 23:40 11,319 --------- C:\WINDOWS\SYSTEM32\a308.sys
2007-05-30 23:40 11,319 --------- C:\WINDOWS\SYSTEM32\a308.sys
2007-05-30 23:14 98,304 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2007-05-30 23:14 98,304 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2007-05-30 23:14 94,208 --a------ C:\WINDOWS\SYSTEM32\igfxext.exe
2007-05-30 23:14 94,208 --a------ C:\WINDOWS\SYSTEM32\igfxext.exe
2007-05-30 23:14 899,194 --a------ C:\WINDOWS\SYSTEM32\ialmdd5.dll
2007-05-30 23:14 86,016 --a------ C:\WINDOWS\SYSTEM32\igfxdo.dll
2007-05-30 23:14 86,016 --a------ C:\WINDOWS\SYSTEM32\igfxdo.dll
2007-05-30 23:14 77,824 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2007-05-30 23:14 77,824 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2007-05-30 23:14 73,728 --a------ C:\WINDOWS\SYSTEM32\hccutils.dll
2007-05-30 23:14 73,728 --a------ C:\WINDOWS\SYSTEM32\hccutils.dll
2007-05-30 23:14 57,344 --a------ C:\WINDOWS\SYSTEM32\oemdspif.dll
2007-05-30 23:14 57,344 --a------ C:\WINDOWS\SYSTEM32\oemdspif.dll
2007-05-30 23:14 57,344 --a------ C:\WINDOWS\SYSTEM32\igfxsrvc.dll
2007-05-30 23:14 57,344 --a------ C:\WINDOWS\SYSTEM32\igfxsrvc.dll
2007-05-30 23:14 524,288 --a------ C:\WINDOWS\SYSTEM32\igldev32.dll
2007-05-30 23:14 524,288 --a------ C:\WINDOWS\SYSTEM32\igldev32.dll
2007-05-30 23:14 49,152 --a------ C:\WINDOWS\SYSTEM32\ialmrem.dll
2007-05-30 23:14 49,152 --a------ C:\WINDOWS\SYSTEM32\ialmrem.dll
2007-05-30 23:14 450,560 --a------ C:\WINDOWS\SYSTEM32\igfxcfg.exe
2007-05-30 23:14 450,560 --a------ C:\WINDOWS\SYSTEM32\igfxcfg.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 08:41:03 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2007-06-03 07:45:33 -------- d-----w C:\Program Files\Google
2007-06-02 09:48:07 -------- d-----w C:\Program Files\Azureus
2007-06-01 05:38:29 -------- d--h--w C:\DOCUME~1\Teacher\APPLIC~1\GTek
2007-06-01 05:33:58 -------- d-----w C:\Program Files\Dell
2007-05-31 06:39:57 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-27 07:43:56 26,208 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-27 07:43:08 -------- d-----w C:\Program Files\Messenger
2007-05-26 20:53:34 -------- d-----w C:\Program Files\Windows NT
2007-05-12 17:01:12 -------- d-----w C:\Program Files\Apoint
2007-05-12 07:14:46 -------- d-----w C:\Program Files\QuickTime
2007-04-28 21:45:28 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-28 00:42:00 -------- d-----w C:\DOCUME~1\Teacher\APPLIC~1\SpywareBot
2007-04-27 21:05:41 2,401 ----a-w C:\WINDOWS\system32\drivers\AlKernel.sys
2007-04-27 20:54:56 164 ----a-w C:\install.dat
2007-04-27 20:51:03 41 ----a-w C:\AClient.dat
2007-04-26 01:55:18 -------- d-----w C:\DOCUME~1\Teacher\APPLIC~1\Azureus
2007-04-26 00:28:28 -------- d-----w C:\DOCUME~1\Teacher\APPLIC~1\Ahead
2007-04-19 04:15:08 25,905 ----a-w C:\WINDOWS\system32\fcyaa.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 03:25]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-04-28 09:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AClntUsr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2007-06-12 06:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-08-04 01:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{244D4C97-8EE7-E63D-517C-01DE5BBCA91D}"="C:\WINDOWS\system32\uvv.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
C:\WINDOWS\system32\vexg6ame4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DefWatch"=2 (0x2)


Contents of the 'Scheduled Tasks' folder
2007-06-08 07:00:00 C:\WINDOWS\tasks\At1.job
2007-06-08 16:00:00 C:\WINDOWS\tasks\At10.job
2007-06-08 17:00:00 C:\WINDOWS\tasks\At11.job
2007-06-08 17:59:59 C:\WINDOWS\tasks\At12.job
2007-06-08 19:00:00 C:\WINDOWS\tasks\At13.job
2007-06-08 20:00:00 C:\WINDOWS\tasks\At14.job
2007-06-08 21:00:00 C:\WINDOWS\tasks\At15.job
2007-06-08 22:00:00 C:\WINDOWS\tasks\At16.job
2007-06-08 23:00:00 C:\WINDOWS\tasks\At17.job
2007-06-09 00:00:00 C:\WINDOWS\tasks\At18.job
2007-06-09 01:00:00 C:\WINDOWS\tasks\At19.job
2007-06-08 08:00:00 C:\WINDOWS\tasks\At2.job
2007-06-09 02:00:00 C:\WINDOWS\tasks\At20.job
2007-06-09 03:00:00 C:\WINDOWS\tasks\At21.job
2007-06-09 04:00:00 C:\WINDOWS\tasks\At22.job
2007-06-09 05:00:00 C:\WINDOWS\tasks\At23.job
2007-06-04 06:00:00 C:\WINDOWS\tasks\At24.job
2007-06-08 09:00:00 C:\WINDOWS\tasks\At3.job
2007-06-04 10:00:00 C:\WINDOWS\tasks\At4.job
2007-06-04 11:00:00 C:\WINDOWS\tasks\At5.job
2007-06-04 12:00:00 C:\WINDOWS\tasks\At6.job
2007-06-04 13:00:00 C:\WINDOWS\tasks\At7.job
2007-06-04 14:00:00 C:\WINDOWS\tasks\At8.job
2007-06-08 15:00:00 C:\WINDOWS\tasks\At9.job
2007-06-04 10:00:00 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 06:56:50
Windows 5.1.2600 Service Pack 2catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 06:56:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

NTFSscanning hidden files ...



scanning hidden files ...

C:\WINDOWS\system32\Hep44.sys

scan completed successfully
hidden files: 1

C:\WINDOWS\system32\Hep44.sys
**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Hep44]
"ImagePath"="\SystemRoot\System32\Hep44.sys"

Completion time: 2007-06-12 6:58:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-12 06:58
C:\ComboFix2.txt ... 2007-06-06 00:13

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 7:03:00 AM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pesd.ad
O17 - HKLM\Software\..\Telephony: DomainName = pesd.ad
O17 - HKLM\System\CCS\Services\Tcpip\..\{E654E750-2A9C-481C-AEF4-8FAFAA134E45}: NameServer = 86.64.145.144
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: zWmUVVm - {244D4C97-8EE7-E63D-517C-01DE5BBCA91D} - C:\WINDOWS\system32\uvv.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


And I do know the PESD.ad

#12 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 12 June 2007 - 11:24 PM

Start HijackThis, click System Scan Only and place a checkmark next to the following item:
O21 - SSODL: zWmUVVm - {244D4C97-8EE7-E63D-517C-01DE5BBCA91D} - C:\WINDOWS\system32\uvv.dll (file missing)

Close ALL browsers and open browsers and open windows/programs except HijackThis and click 'Fix Checked'.

Download IceSword.
Note: Because it is a RAR file, you will need 7-Zip to unpack it.
- Extract it to your desktop.
1. Double-click on IceSword.exe
2. Use the registry function in IceSword to see if the following key exists:
HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Hep44
3. If it does exist, then right-click on Hep44 and select the Delete option from the menu that opens.

Reboot your computer.

Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

Reboot into SAFE MODE
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Navigate to and delete the following files if present:
C:\WINDOWS\system32\Hep44.sys
C:\WINDOWS\system32\uvv.dll
C:\WINDOWS\SYSTEM32\MRT.exe

Reboot into NORMAL MODE

Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log in your next reply.
Post back with the Superantipspyware log and a new HijackThis log. Let me know if you encountered any problems while you were following the instructions I posted.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#13 rc11982

rc11982
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 13 June 2007 - 12:26 AM

i am have a problem running icesword. everytime i run it i get a BSOD. I can play games and search the web and no problems... but as soon as i run it bsod what else can i do?

#14 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 14 June 2007 - 02:54 AM

My reply to you was lost (see above notice) Here it is again.

IceSword BSOD's are caused by either driver conflicts (bad v. good) or detecting it and causing a crash intentionally.

Download and install Rootkit Unhooker (red link in the middle of the page)
http://rkunhooker1.narod.ru/
- Click Start > All Programs > Rootkit Unhooker > run the application.
- Click the SSDT tab, then File, then Quick Report, then Save Info from Current Page. Save this as Report1.txt to your Desktop.
- Click the Code Hook Detector tab and let the scan complete. Click File > Quick Report > Save Info from Current Page. Save this as Report2.txt to your Desktop.

Zip and attach these logs to your next post.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#15 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 20 June 2007 - 11:11 PM

Due to a lack of response ... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a new topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users