Page 1 of 5 12345 LastLast
Results 1 to 10 of 42

Thread: Windows firewall disabled + updates not working etc

  1. 2006-12-08, 12:49 #1
    NickB
    NickB is offline
    Member
    Join Date
    Dec 2006
    Posts
    40

    Default Windows firewall disabled + updates not working etc

    I hope you can help on the following - I have tried to fix this but seem to be getting nowhere!

    1 It began when my son clicked on what he thought was an image in MSN Messenger which was (I think) a pif file which executed and caused various problems. I no longer what it was called, I'm afraid

    2 It turned off the Windows firewall and it now says "Due to an unidentified problem, Windows cannot display Windows Firewall settings"

    3 I have since put Zone Alarm on which appears to work

    4 I did various virus checks etc with AVG which I have on the machine and removed what it identifed. It appears to be virus free at present though it will occasionally report three instances of Java/ByteVerify and appear to fix them.

    One of the things it defintiely put on the machine was something called _mzu_stonedrv8.exe but I think I managed to get rid of this

    At one point the machine would no longer reboot but I managed to get it working again

    5 I also tried Prevx on the machine which says the machine is ok (which I don't think is the case!)

    6 It will no longer run Windows Updates and will reboot the machine part way through the process

    7 When I look Zone Alarm it appears to be blocking incoming and outgoing things but has two 'Generic Host Process for Win32 Services' which appear in programs and appear to be very active - though not always. The machine can receive or send 20 - 40mb of stuff over and above what I am doing regardless of whether I disengage internet activity or not

    8 I have scanned the machine in safe mode with spybot and it tells me congratulations it's ok!

    9 When I boot the machine it will now often tell me that Windows has recovered from a serious error (it might be this but I don't think it is - "The following boot-start or system-start driver(s) failed to load: szkg")

    Here is my hijackthis log

    Thank you in anticipation

    Logfile of HijackThis v1.99.1
    Scan saved at 11:20:58, on 08/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Prevx1\PXAgent.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Prevx1\PXConsole.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/home_homeoff...er/threats.jsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.madasafish.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.madasafish.com
    O16 - DPF: ConferenceRoom Java Client - http://www.ropetalk.net:8000/java/cr.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125130775828
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144959150652
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{69B043E1-2370-491E-A606-F0799D2AAA5B}: NameServer = 85.255.116.67,85.255.112.90
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C14697C9-9005-4519-8ACD-44529AE8E480}: NameServer = 85.255.116.67 85.255.112.90
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  2. 2006-12-09, 09:50 #2
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi NickB and welcome to Safer Networking Forums

    You got some infections there...

    One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.

    Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  3. 2006-12-09, 13:01 #3
    NickB
    NickB is offline
    Member
    Join Date
    Dec 2006
    Posts
    40

    Default

    Thank you for your help so far which is much appreciated

    Here are the various logs - I actually ran combofix.exe twice as I couldn't find the log first time; I hope that does't matter. The hijackthis report was run after the combofix


    Fixwareout
    Last edited 12/06/2006
    Post this report in the forums please
    ...
    Prerun check
    [HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""

    ...
    ...
    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
    ...

    Random Runs removed from HKLM
    ...
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Searching by size/names...

    »»»»»
    Search five digit cs, dm kd and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINDOWS\SYSTEM32\DMCPL.EXE 1,323,008 2003-07-28

    Other suspects.

    »»»»» Misc files.

    »»»»» Checking for older varients covered by the Rem3 tool.
    ...
    Postrun check
    [HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "system"=""

    ...

    COMBO FIX LOG

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\{3CE73184-07C9-2057-0912-02073102002c}
    C:\Program Files\Common Files\{3CE73184-07CA-2057-0912-02073102002c}
    C:\Program Files\Common Files\{ECE73184-07C9-2057-0912-02073102002c}
    C:\Program Files\Common Files\{ECE73184-07CA-2057-0912-02073102002c}


    Logfile of HijackThis v1.99.1
    Scan saved at 11:52, on 06-12-09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Prevx1\PXAgent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Prevx1\PXConsole.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\NoteTab Light\NoteTab.exe
    C:\hijack\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.madasafish.com
    O16 - DPF: ConferenceRoom Java Client - http://www.ropetalk.net:8000/java/cr.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125130775828
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144959150652
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{69B043E1-2370-491E-A606-F0799D2AAA5B}: NameServer = 85.255.116.67,85.255.112.90
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  4. 2006-12-09, 20:24 #4
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi

    That doesn't look like to complete ComboFix log. Please post the full ComboFix log to here. You can find it from C:\Combofix.txt

    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  5. 2006-12-10, 13:14 #5
    NickB
    NickB is offline
    Member
    Join Date
    Dec 2006
    Posts
    40

    Default

    This is the second one

    Nick Blair - 06-12-09 11:42:13.31 Service Pack 2
    ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Nick Blair\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\{3CE73184-07C9-2057-0912-02073102002c}
    C:\Program Files\Common Files\{3CE73184-07CA-2057-0912-02073102002c}
    C:\Program Files\Common Files\{ECE73184-07C9-2057-0912-02073102002c}
    C:\Program Files\Common Files\{ECE73184-07CA-2057-0912-02073102002c}


    ((((((((((((((((((((((((((((((( Files Created from 2006-11-09 to 2006-12-09 ))))))))))))))))))))))))))))))))))

    AND THIS IS THE OTHER!

    Nick Blair - 06-12-09 11:32:39.65 Service Pack 2
    ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Nick Blair\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\{3CE73184-07C9-2057-0912-02073102002c}
    C:\Program Files\Common Files\{3CE73184-07CA-2057-0912-02073102002c}
    C:\Program Files\Common Files\{ECE73184-07C9-2057-0912-02073102002c}
    C:\Program Files\Common Files\{ECE73184-07CA-2057-0912-02073102002c}


    ((((((((((((((((((((((((((((((( Files Created from 2006-11-09 to 2006-12-09 ))))))))))))))))))))))))))))))))))
  6. 2006-12-10, 19:24 #6
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again, we'll continue

    Ok so those were the complete combofix logs...

    You should print these instructions or save these to a text file. Follow these instructions carefully.

    Disable PrevX realtime protection
    • Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
    • On the Management Console click the Protection Level drop-down menu. You will see three levels:
      • Maximum
      • Off
      • User Defined
    • Disable all protection by setting the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
    • Click the X on the upper right hand corner to exit the Management console.


    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

    Download ATF Cleaner by Atribune to your desktop.
    Do NOT run yet.

    Make your hidden files visible:
    • Go to My Computer
    • Select the Tools menu and click Folder Options
    • Click the View tab.
    • Checkmark the "Display the contents of system folders"
    • Under the Hidden files and folders select "Show hidden files and folders"
    • Uncheck "Hide protected operating system files"
    • Click Apply and then the OK and close My Computer.


    ==================

    Download SDFix and save it to your desktop.

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
    • Open the extracted folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

    Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
    O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{69B043E1-2370-491E-A606-F0799D2AAA5B}: NameServer = 85.255.116.67,85.255.112.90
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C14697C9-9005-4519-8ACD-44529AE8E480}: NameServer = 85.255.116.67 85.255.112.90

    Now lets check some settings on your system.
    (2000/XP) Only
    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable on some systems
    Next Go start run type cmd and hit OK
    type
    ipconfig /flushdns
    then hit enter, type exit hit enter
    (that space between g and / is needed)

    Restart your computer to the safe mode:
    • Restart your computer
    • Start tapping the F8 key when the computer restarts.
    • When the start menu opens, choose Safe mode
    • Press Enter. The computer then begins to start in Safe mode.


    Go to the My Computer and delete the following files (if present):
    C:\WINDOWS\SYSTEM32\DMCPL.EXE

    Run ATF Cleaner
    • Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot in Normal Mode.

    ================

    When you're ready, please post the following logs to here:
    - AVG's report
    - a fresh HijackThis log
    - Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  7. 2006-12-11, 09:00 #7
    NickB
    NickB is offline
    Member
    Join Date
    Dec 2006
    Posts
    40

    Default

    Here are the various reports -

    AVG -

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 07:45 06-12-11

    + Scan result:



    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\CuteFTP\advert.dll -> Adware.Aureate : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\CuteFTP\advert.dll -> Adware.Aureate : Cleaned with backup (quarantined).
    C:\Documents and Settings\Alexander Blair.HAL\Application Data\Microsoft\Internet Explorer\Quick Launch\Block Checker.lnk -> Adware.BlockChecker : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1653462319-1279371858-1987657003-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned with backup (quarantined).
    C:\Program Files\Adverts\uninst.exe -> Adware.Lop : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\Cute\tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\CuteFTP\tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\Cute\tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\CuteFTP\tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
    C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.e : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\john-16w.zip/john-16/run/john-k6.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\john-16w.zip/john-16/run/john-mmx.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w.zip/john-16/run/john-k6.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w.zip/john-16/run/john-mmx.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w\john-16\run\john-k6.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w\john-16\run\john-mmx.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
    C:\Program Files\Cain\Abel.dll -> Not-A-Virus.PSWTool.Win32.Cain.284 : Cleaned with backup (quarantined).
    C:\Program Files\Cain\Abel.exe -> Not-A-Virus.PSWTool.Win32.Cain.284 : Cleaned with backup (quarantined).
    C:\Program Files\SnadBoy's Revelation v2\Revelation.exe -> Not-A-Virus.PSWTool.Win32.SnadBoy.2011 : Cleaned with backup (quarantined).
    C:\Program Files\SnadBoy's Revelation v2\RevelationHelper.dll -> Not-A-Virus.PSWTool.Win32.SnadBoy.2011 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\vnc_x86_win32\vncviewer\vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nick Blair\Desktop\apps\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
    :mozilla.6:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.7:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@ad.adition[1].txt -> TrackingCookie.Adition : Cleaned.
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned.
    :mozilla.17:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
    :mozilla.18:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
    :mozilla.30:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
    :mozilla.28:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@com[2].txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@cqcounter[1].txt -> TrackingCookie.Cqcounter : Cleaned.
    :mozilla.73:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@www.hightrafficads[1].txt -> TrackingCookie.Hightrafficads : Cleaned.
    :mozilla.50:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
    :mozilla.69:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
    :mozilla.52:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
    :mozilla.71:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
    :mozilla.72:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
    :mozilla.64:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
    :mozilla.35:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
    :mozilla.82:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\Family\Cookies\family@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.


    ::Report end

    ********************************

    HIJACK THIS LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 07:50, on 06-12-11
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Prevx1\PXAgent.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\hijack\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.madasafish.com
    O16 - DPF: ConferenceRoom Java Client - http://www.ropetalk.net:8000/java/cr.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125130775828
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144959150652
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    ****************************

    SDF


    SDFix: Version 1.45
    ****************

    06-12-11 - 0:41:43.87

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Stage One - Safe Mode

    Checking Services...

    Service Name:


    File Path:



    Starting Registry Repairs...

    Restoring Default Hosts File...

    Stage One Complete

    Rebooting...

    Stage Two - Normal Mode

    Checking For Malware:
    --------------------

    ******************************

    AND THAT'S IT!
  8. 2006-12-11, 17:34 #8
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Ok looking better

    How is the computer running at the moment ?

    Please run a GMER Rootkit scan:

    Download GMER's application from here:
    http://www.gmer.net/gmer.zip

    Unzip it and start the GMER.exe
    Click the Rootkit tab and click the Scan button.

    Once done, click the Copy button.
    This will copy the results to your clipboard.
    Paste the results in your next reply.

    Warning ! Please, do not select the "Show all" checkbox during the scan.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  9. 2006-12-12, 01:51 #9
    NickB
    NickB is offline
    Member
    Join Date
    Dec 2006
    Posts
    40

    Default

    When I go on the internet it is still sending and receiving a load of stuff which makes me understand where we are going next I think

    I would guess about 100kb per second are going in and out at the moment

    Thanks for the assistance
  10. 2006-12-12, 09:00 #10
    NickB
    NickB is offline
    Member
    Join Date
    Dec 2006
    Posts
    40

    Default

    Hi again - limited success with that tool. When it runs it returns the following but when I do a full scan it picks up various entries when it scans the registry and picks up entries referring to lzx32 when it goes through ControlSet001 / ControlSet002 / ControlSet003 - but when it scans CurrentControlSet the machine reboots! Tried it twice but same result


    GMER 1.0.12.12011 - http://www.gmer.net
    Rootkit scan 2006-12-12 07:53:01
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.12 ----

    SSDT pxfsf.sys ZwEnumerateKey
    SSDT pxfsf.sys ZwEnumerateValueKey

    SYSENTER ? F10FF1B3

    Code F10FDC10 pIofCallDriver

    ---- Devices - GMER 1.0.12 ----

    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12342A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F12342A0] vsdatant.sys

    ---- Services - GMER 1.0.12 ----

    Service C:\WINDOWS\system32\lzx32.sys (*** hidden *** ) [SYSTEM] lzx32 <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.12 ----
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules