PDA

View Full Version : PurityScan?



Hrast
2007-08-29, 08:11
Friends laptop. Previous to this boot, SPYBOT found nothing in safemode. Nothing.

F-Secure Scan log:

Scanning Report
Tuesday, August 28, 2007 22:25:45 - 23:24:41
Computer name: YOUR-6BVPXYZTOQ
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 11 malware found
Malware.AEFV (virus)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\910TSGBC\SETUP155[1].EXE (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
Vundo.gen38 (virus)
C:\WINDOWS\SYSTEM32\AUYVNHGV.INI (Submitted)
C:\WINDOWS\SYSTEM32\CIHDOREB.INI (Submitted)
C:\WINDOWS\SYSTEM32\GIEYCFEB.INI (Submitted)
W32/DLoader.MXM.dropper (virus)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0V9JG0AX\BASS[1].EXE (Submitted)
W32/Kolweb.T (virus)
C:\WINDOWS\MIRINDASPK.EXE (Submitted)
W32/Malware.YFT (virus)
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KHA7STYB\IS67718[1].EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\910TSGBC\IS67718[1].EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 19848
System: 4415
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 10
Submitted: 8
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-08-28
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-08-20
F-Secure Libra: 2.4.2, 2007-08-28
F-Secure Orion: 1.2.37, 2007-08-29
F-Secure Pegasus: 1.19.0, 2007-07-19
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.



HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:31 PM, on 8/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\s?curity\w?nword.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2231217D-687D-4DD4-B3F6-390BF59C02C8} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2EB8EB11-C040-429A-B3B3-4BE6DB9FF76B} - \
O2 - BHO: (no name) - {3006FBB2-3DBE-4DC0-8DD3-AE749AC1005C} - C:\WINDOWS\System32\mllmk.dll (file missing)
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\System32\wilprugg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\tmpE.tmp.dll (file missing)
O2 - BHO: (no name) - {C696AD2B-47ED-393A-EC59-387612635397} - C:\WINDOWS\System32\hdfllubt.dll (file missing)
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\System32\pmnmnmk.dll (file missing)
O2 - BHO: msscds32.msdn_hlp - {C934903B-61BE-403A-BC70-D738DAF43B8E} - C:\WINDOWS\System32\msscds32.dll (file missing)
O2 - BHO: (no name) - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [gsqmr] C:\WINDOWS\System32\gsqmr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Owner\MYDOCU~1\PPATCH~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Dgdvsl] "C:\Documents and Settings\Owner\My Documents\s?curity\??rvices.exe"
O4 - HKCU\..\Run: [Pdsmxhm] C:\WINDOWS\system32\s?curity\w?nword.exe
O4 - HKCU\..\Policies\Explorer\Run: [gsqmr] C:\WINDOWS\System32\gsqmr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188261758182
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D35B74F6-E099-4CDD-91E0-9EA7C30059D1} (Main Class) - http://www.dialer-shop.com/webdial/webdial24106.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{945D054B-4B16-48BC-8489-A3E52F0BF75E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: c:\windows\system32\wvurrsq.dll
O20 - Winlogon Notify: kbdeds - kbdeds.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\System32\mllmk.dll (file missing)
O20 - Winlogon Notify: pmnmnmk - pmnmnmk.dll (file missing)
O20 - Winlogon Notify: winipo32 - winipo32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9648 bytes

pskelley
2007-08-29, 17:18
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected and I have no idea how bad. I see the PurityScan/OIN but I also see what appears to be a partially iIdentify. You have at least one trojan downloader onboard and you need to pull the plug on this computer and turn it on ONLY when you must to troubleshoot until I tell you that you are clean. If that works for you, proceed like this.

1) Mention any tools you have used so far.

2) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

3) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the uninstall list, any information I requested, the combofix log and a new HJT log.

Thanks

Hrast
2007-08-29, 18:35
I have read "Before You Post" and understand.

Tools used so far:
SPYBOT 1.4 (with updates)
AdAware2007 (with updates)
F-Secure Virtumonde Remover
F-Prot On-Line Scanner
AntiVir Anti-Virus

Uninstall list:

Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
AIM 6
AOL Coach Version 1.0(Build:20020823.1)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
ATI Control Panel
ATI Display Driver
Avira AntiVir PersonalEdition Classic
Broadcom 802.11 Driver
BroadJump Client Foundation
Conexant 56K ACLink Modem
Conexant AC-Link Audio
Easy CD Creator 5 Basic
easy Internet sign-up
Encarta Online
HijackThis 2.0.2
HP Product Detection
Inactive HP Printer Drivers (Remove only)
InterActual Player
InterVideo WinDVD
Kaspersky Online Scanner
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Learning and Research Plus Support Files
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Picture It! Express 7.0
Microsoft Works 7.0
Move Networks Player for Internet Explorer
MSN Internet Software
MSN Messenger 7.5
MSN Toolbar
MUSICMATCH® Jukebox
MusicNet@AOL
Notebook Utilities
One-Touch Buttons
PhotoShow Express
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Shockwave
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
TaxCut Deluxe 2005
Ultimate Mahjongg 10
Viewpoint Media Player
Walgreens PhotoShow Express 4
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
XP TCP/IP Repair 1.0
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
ZoneAlarm

ComboFix log:

ComboFix 07-08-29.3 - "Owner" 2007-08-29 10:13:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.169 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\LOCALS~1\APPLIC~1\install.dat
C:\DOCUME~1\LOCALS~1\APPLIC~1\sembly~1
C:\DOCUME~1\LOCALS~1\Desktop\searchus.exe
C:\DOCUME~1\NETWOR~1\APPLIC~1\install.dat
C:\DOCUME~1\NETWOR~1\Desktop\searchus.exe
C:\DOCUME~1\Owner\APPLIC~1\install.dat
C:\DOCUME~1\Owner\err.log
C:\DOCUME~1\Owner\MYDOCU~1\ppatch~1
C:\DOCUME~1\Owner\MYDOCU~1\scurit~1
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\DOWNLO~1\UERS_9999_N91S1502NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\180ax.exe
C:\WINDOWS\system32\biprep.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\l3acdb.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\mit.bat
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\salm.exe
C:\WINDOWS\system32\satmat.exe
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\scurit~1\w?nword.exe
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\updatetc.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\voiceip.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-29 )))))))))))))))))))))))))))))))


2007-08-29 10:12 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 23:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-28 21:52 <DIR> d-------- C:\Program Files\NSC
2007-08-28 21:47 57,344 --------- C:\WINDOWS\system32\BCMWLD2K.EXE
2007-08-28 21:47 139,264 --------- C:\WINDOWS\system32\BCMWLU00.EXE
2007-08-28 21:45 <DIR> d-------- C:\Program Files\HP
2007-08-28 21:18 57,344 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-08-28 21:18 31,232 --a------ C:\WINDOWS\system32\wzcsapi.dll
2007-08-28 21:18 281,088 --a------ C:\WINDOWS\system32\wzcsvc.dll
2007-08-28 21:18 1,630,208 --a------ C:\WINDOWS\system32\netshell.dll
2007-08-28 21:18 1,630,208 --a------ C:\WINDOWS\system32\dllcache\netshell.dll
2007-08-28 02:38 8,224 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-28 02:38 303,136 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-28 02:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-28 02:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-28 01:47 <DIR> d-------- C:\f-vmonde
2007-08-28 01:32 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-28 01:32 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-08-28 01:32 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-28 01:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-28 01:31 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-28 01:31 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-28 01:30 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-08-28 01:28 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-28 01:28 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-28 01:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-27 23:49 593,408 --a------ C:\WINDOWS\system32\dllcache\xpsp2res.dll
2007-08-27 23:45 50,176 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-08-27 23:45 214,528 --a------ C:\WINDOWS\system32\dplayx.dll
2007-08-27 23:40 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2007-08-27 23:36 35,648 --a------ C:\WINDOWS\system32\ntio411.sys
2007-08-27 23:36 35,424 --a------ C:\WINDOWS\system32\ntio412.sys
2007-08-27 23:36 34,560 --a------ C:\WINDOWS\system32\ntio804.sys
2007-08-27 23:36 34,560 --a------ C:\WINDOWS\system32\ntio404.sys
2007-08-27 23:36 33,840 --a------ C:\WINDOWS\system32\ntio.sys
2007-08-27 23:34 260,096 --a------ C:\WINDOWS\system32\mstask.dll
2007-08-27 23:34 172,544 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-08-27 23:34 10,752 --a------ C:\WINDOWS\system32\mstinit.exe
2007-08-27 22:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-27 20:53 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2007-08-27 20:53 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2007-08-27 20:53 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-08-27 20:53 40,960 --a------ C:\WINDOWS\system32\dllcache\evtgprov.dll
2007-08-27 20:53 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2007-08-27 20:53 307,200 --a------ C:\WINDOWS\system32\dllcache\netapi32.dll
2007-08-27 20:53 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-08-27 20:52 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-08-27 20:41 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-08-27 19:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-27 19:46 <DIR> d-------- C:\WINDOWS\system32\bits
2007-08-27 19:45 7,680 --a------ C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-08-27 19:45 7,680 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-08-27 19:45 7,168 --a------ C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-08-27 19:45 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-08-27 19:45 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-08-27 19:45 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-08-27 19:43 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-08-27 19:43 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-27 19:43 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-08-27 19:43 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-08-27 18:32 <DIR> d-------- C:\Program Files\XP TCPIP Repair
2007-08-27 11:09 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-27 11:09 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-27 11:09 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-27 11:09 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-27 11:09 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-27 11:09 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-08-27 11:09 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-27 11:09 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-27 11:09 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-27 10:48 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-08-27 10:45 2,148,352 --a------ C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-08-27 02:51 44,928 --a------ C:\WINDOWS\system32\dllcache\agpcpq.sys
2007-08-27 02:51 43,008 --a------ C:\WINDOWS\system32\dllcache\amdagp.sys
2007-08-27 02:51 42,752 --a------ C:\WINDOWS\system32\dllcache\alim1541.sys
2007-08-27 02:51 42,240 --a------ C:\WINDOWS\system32\dllcache\viaagp.sys
2007-08-27 02:51 41,088 --a------ C:\WINDOWS\system32\dllcache\sisagp.sys
2007-08-27 02:47 285,184 --a------ C:\WINDOWS\system32\dllcache\fxscomex.dll
2007-08-27 02:47 24,064 --a------ C:\WINDOWS\system32\dllcache\evntcmd.exe
2007-08-27 02:47 236,544 --a------ C:\WINDOWS\system32\dllcache\smi2smir.exe
2007-08-27 02:47 23,552 --a------ C:\WINDOWS\system32\dllcache\fxsmon.dll
2007-08-27 02:46 92,160 --a------ C:\WINDOWS\system32\dllcache\evntwin.exe
2007-08-27 02:46 6,144 --a------ C:\WINDOWS\system32\dllcache\snmpmib.dll
2007-08-27 02:46 267,776 --a------ C:\WINDOWS\system32\dllcache\fxssvc.exe
2007-08-27 02:46 22,528 --a------ C:\WINDOWS\system32\dllcache\lpdsvc.dll
2007-08-27 02:45 400,384 --a------ C:\WINDOWS\system32\dllcache\fxsxp32.dll
2007-08-27 02:45 39,936 --a------ C:\WINDOWS\system32\dllcache\hostmib.dll
2007-08-27 02:45 188,416 --a------ C:\WINDOWS\system32\dllcache\snmpsmir.dll
2007-08-27 02:44 6,656 --a------ C:\WINDOWS\system32\dllcache\fxsres.dll
2007-08-27 02:44 40,960 --a------ C:\WINDOWS\system32\dllcache\msiregmv.exe
2007-08-27 02:44 246,272 --a------ C:\WINDOWS\system32\dllcache\fxst30.dll
2007-08-27 02:43 7,680 --a------ C:\WINDOWS\system32\dllcache\migregdb.exe
2007-08-27 02:43 452,096 --a------ C:\WINDOWS\system32\dllcache\fxsapi.dll
2007-08-27 02:43 259,072 --a------ C:\WINDOWS\system32\dllcache\snmpcl.dll
2007-08-27 02:43 23,552 --a------ C:\WINDOWS\system32\dllcache\fxsext32.dll
2007-08-27 02:42 562,176 --a------ C:\WINDOWS\system32\dllcache\fxsst.dll
2007-08-27 02:42 229,376 --a------ C:\WINDOWS\system32\dllcache\fxscover.exe
2007-08-27 02:42 192,512 --a------ C:\WINDOWS\system32\dllcache\fxswzrd.dll
2007-08-27 02:41 8,704 --a------ C:\WINDOWS\system32\dllcache\snmptrap.exe
2007-08-27 02:41 397,312 --a------ C:\WINDOWS\system32\dllcache\fxstiff.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-26 18:10 --------- d-------- C:\Program Files\Lavasoft
2007-09-26 18:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-26 18:09 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-24 20:02 --------- d-------- C:\Program Files\America Online 8.0
2007-09-24 19:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-24 18:48 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-09-24 18:25 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-09-23 07:34 --------- d-------- C:\Program Files\Common Files\ErrorSafe Free
2007-09-23 03:22 --------- d-------- C:\WINDOWS\system32\config\SYSTEM~1\APPLIC~1\Yahoo!
2007-09-23 01:17 1178739 --ahs---- C:\WINDOWS\system32\kmllm.bak2
2007-09-22 12:54 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Error Safe Free
2007-09-19 22:20 6458 --ahs---- C:\WINDOWS\system32\kmllm.bak1
2007-09-15 17:11 --------- d-------- C:\Program Files\WinBudget
2007-08-28 23:26 4628 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-28 23:26 1796 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-28 21:53 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-28 11:44 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-28 11:36 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-27 22:00 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-27 19:41 --------- d-------- C:\Program Files\QuickTime
2007-08-27 19:41 --------- d-------- C:\Program Files\America Online 9.0
2007-08-27 19:36 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-08-27 19:28 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-27 19:28 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-04 08:06 1972 --a------ C:\Program Files\installer.js
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\T3duZXI\naxRtrK.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2231217D-687D-4DD4-B3F6-390BF59C02C8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EB8EB11-C040-429A-B3B3-4BE6DB9FF76B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3006FBB2-3DBE-4DC0-8DD3-AE749AC1005C}]
C:\WINDOWS\System32\mllmk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C696AD2B-47ED-393A-EC59-387612635397}]
C:\WINDOWS\System32\hdfllubt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C934903B-61BE-403A-BC70-D738DAF43B8E}]
C:\WINDOWS\System32\msscds32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5DE8ADB-4A69-4e56-96AB-823171C8E9D8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 16:14 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 10:05]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" []
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" []
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 13:37]
"winpack"="C:\WINDOWS\System32\winpack.exe" []
"gsqmr"="C:\WINDOWS\System32\gsqmr.exe" []
"Aim6"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 17:22]
"Aaou"="C:\DOCUME~1\Owner\MYDOCU~1\PPATCH~1\regsvr32.exe" []
"Dgdvsl"="C:\Documents and Settings\Owner\My Documents\s?curity\??rvices.exe" []
"Pdsmxhm"="C:\WINDOWS\system32\s?curity\w?nword.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdeds]
kbdeds.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
C:\WINDOWS\System32\mllmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmnmk]
pmnmnmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winipo32]
winipo32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\wvurrsq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\System32\DRIVERS\strmdisp.sys
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\System32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\System32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\System32\Drivers\DKbFltr.SYS
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\System32\DRIVERS\DP83815.SYS
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 allegro;ESS Allegro Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\System32\DRIVERS\ce3n5.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 10:19:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-29 10:21:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-29 10:21

--- E O F ---

Hrast
2007-08-29, 18:37
HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:02 AM, on 8/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2231217D-687D-4DD4-B3F6-390BF59C02C8} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2EB8EB11-C040-429A-B3B3-4BE6DB9FF76B} - \
O2 - BHO: (no name) - {3006FBB2-3DBE-4DC0-8DD3-AE749AC1005C} - C:\WINDOWS\System32\mllmk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {C696AD2B-47ED-393A-EC59-387612635397} - C:\WINDOWS\System32\hdfllubt.dll (file missing)
O2 - BHO: msscds32.msdn_hlp - {C934903B-61BE-403A-BC70-D738DAF43B8E} - C:\WINDOWS\System32\msscds32.dll (file missing)
O2 - BHO: (no name) - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [gsqmr] C:\WINDOWS\System32\gsqmr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Owner\MYDOCU~1\PPATCH~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [Dgdvsl] "C:\Documents and Settings\Owner\My Documents\s?curity\??rvices.exe"
O4 - HKCU\..\Run: [Pdsmxhm] C:\WINDOWS\system32\s?curity\w?nword.exe
O4 - HKCU\..\Policies\Explorer\Run: [gsqmr] C:\WINDOWS\System32\gsqmr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188261758182
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D35B74F6-E099-4CDD-91E0-9EA7C30059D1} (Main Class) - http://www.dialer-shop.com/webdial/webdial24106.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{945D054B-4B16-48BC-8489-A3E52F0BF75E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: c:\windows\system32\wvurrsq.dll
O20 - Winlogon Notify: kbdeds - kbdeds.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\System32\mllmk.dll (file missing)
O20 - Winlogon Notify: pmnmnmk - pmnmnmk.dll (file missing)
O20 - Winlogon Notify: winipo32 - winipo32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9047 bytes


Thanks.

pskelley
2007-08-29, 19:25
Thanks for returning your information and the feedback, let's proceed like this.

Would you look at this information and assure me it is valid for you: http://whois.domaintools.com/192.168.1.1

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(leave this first item if you set it that way)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {2231217D-687D-4DD4-B3F6-390BF59C02C8} - (no file)
O2 - BHO: (no name) - {2EB8EB11-C040-429A-B3B3-4BE6DB9FF76B} - \
O2 - BHO: (no name) - {3006FBB2-3DBE-4DC0-8DD3-AE749AC1005C} - C:\WINDOWS\System32\mllmk.dll (file missing)
O2 - BHO: (no name) - {C696AD2B-47ED-393A-EC59-387612635397} - C:\WINDOWS\System32\hdfllubt.dll (file missing)
O2 - BHO: msscds32.msdn_hlp - {C934903B-61BE-403A-BC70-D738DAF43B8E} - C:\WINDOWS\System32\msscds32.dll (file missing)
O2 - BHO: (no name) - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [gsqmr] C:\WINDOWS\System32\gsqmr.exe
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Owner\MYDOCU~1\PPATCH~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [Dgdvsl] "C:\Documents and Settings\Owner\My Documents\s?curity\??rvices.exe"
O4 - HKCU\..\Run: [Pdsmxhm] C:\WINDOWS\system32\s?curity\w?nword.exe
O4 - HKCU\..\Policies\Explorer\Run: [gsqmr] C:\WINDOWS\System32\gsqmr.exe
(you may leave the sbcglobal.net items if you are positive they are safe)
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {D35B74F6-E099-4CDD-91E0-9EA7C30059D1} (Main Class) - http://www.dialer-shop.com/webdial/webdial24106.cab
O20 - AppInit_DLLs: c:\windows\system32\wvurrsq.dll
O20 - Winlogon Notify: kbdeds - kbdeds.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\System32\mllmk.dll (file missing)
O20 - Winlogon Notify: pmnmnmk - pmnmnmk.dll (file missing)
O20 - Winlogon Notify: winipo32 - winipo32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\System32\winpack.exe <<< delete that file

C:\WINDOWS\System32\gsqmr.exe <<< delete that file

C:\DOCUMENTS & SETTINGS~1\Owner\MYDOCUMENTS~1\PPATCH~1\ <<< delete that folder

C:\WINDOWS\system32\s?curity\ <<< delete that folder

c:\windows\system32\wvurrsq.dll <<< delete that file

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log, andd any comments you think will help.

Thanks

Hrast
2007-08-29, 19:51
The 192.168.1.1 DNS address is correct. My firewall for the LAN is also a cacheing nameserver.

None of the files listed in Step 4 exist.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:03 AM, on 8/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188261758182
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{945D054B-4B16-48BC-8489-A3E52F0BF75E}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7277 bytes

pskelley
2007-08-29, 20:03
Thanks for returning your log and the feedback,
None of the files listed in Step 4 exist.Often they are gone with the HJT removal but I like to double check. The HJT log looks good:bigthumb: how is the computer running now?

I suggest you consider updating to IE 7 for the additional security it give.
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

I would like to run one more scan to look for hidden stuff if it works for you.
First remove combofix, expecially the C:\Qoobox\Quarantine folder, the scan will see all of those quarantined items as infections and you need to off your computer anyway.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Hrast
2007-08-29, 20:17
The machine is running much better. In fact, I'm having a hard time believing its the same machine as two days ago.

I have to get the owner to be okay with IE7. Its either that or Firefox at this point. I'm not doing this again.

The Kaspersky scan is running right now, I'll post the results when it completes.

Hrast
2007-08-29, 21:31
Kaspersky scan output:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 29, 2007 1:26:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/08/2007
Kaspersky Anti-Virus database records: 373690
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55777
Number of viruses found: 4
Number of infected objects: 3
Number of suspicious objects: 16
Duration of the scan process: 01:15:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnaSearch2.zip/stdrun4.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnaSearch2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos11.zip/stdrun4.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos4.zip/stdrun3.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/retadpu77.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/retadpu11.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/retadpu1000106.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde9.zip/win79.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007082920070830\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE41D.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\MSSYSMGR.0XE Infected: Backdoor.Win32.Aebot.r skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\YOUR-6BVPXYZTOQ.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\T0A.0XE Infected: Trojan.Win32.Kolweb.g skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT022aa.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT061c5.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\WINH32.0XE Infected: Trojan.Win32.VB.azo skipped

Scan process completed.

pskelley
2007-08-29, 22:55
Thanks for returning your information and the feedback.

KASPERSKY ONLINE SCANNER REPORT Wednesday, August 29, 2007 1:26:59 PM

Number of infected objects: 3
Number of suspicious objects: 16

After you clean these items, be sure to empty the Recycle Bin or you next scan will show C:\ Recycler...infected

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
Open Spybot and click on the white case with the red cross, remove all items in Recovery.

These were bad items but some progam you ran renamed them so then are benign, delete the file in red
C:\Program Files\Simple Star\PhotoShow Deluxe 3\data\Xtras\MSSYSMGR.0XE Infected: Backdoor.Win32.Aebot.r skipped
C:\WINDOWS\WINH32.0XE Infected: Trojan.Win32.VB.azo skipped
C:\WINDOWS\system32\T0A.0XE Infected: Trojan.Win32.Kolweb.g skipped

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Hrast
2007-08-30, 02:49
Final Kaspersky scan came back clean, made a new restore point, I'm on to my final configuration.

Thanks so much, you guys rock.

pskelley
2007-09-01, 15:21
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks