PDA

View Full Version : Can't remove Trojan Generic9.AJIM



hleighty
2008-01-23, 02:56
Persistent malware infection attributed to BHO with filename C:\Windows\System32\adsld.dll. The file is locked to access by WinHex and by the built-in Administrator user account. The file cannot be viewed in a hex editor (Access Denied) and immediately reappears after deletion to the Recycle Bin. This file is reliably and repeatedly identified by AVG 7.5 as Trojan Generic9.AJIM but all efforts to quarantine the infected file fail with immediate replacement of the quarantined file. Here below is the HJT 2.0.2 log followed in this thread at the next post by the Kaspersky online scanner log. Thanks for any assistance in removing this malware object.
-----[ Begin HJT Log ]-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:37 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {EE5A0A38-CEF3-43A7-B3E6-50A4C9E230FE} - C:\WINDOWS\system32\adsld.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://c:\program files\common files\aolcoach\en_en\player\plugin\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146596725093
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\Software\..\Telephony: DomainName = feddema.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = feddema.local
O20 - Winlogon Notify: winwll32 - winwll32.dll (file missing)
O20 - Winlogon Notify: yayabcd - yayabcd.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LBV - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LBV.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9167 bytes
-----[ End HJT Log ]-----


Thanks for any help or suggestions.

hleighty
2008-01-23, 02:57
Here is the Kaspersky scan log.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 12:43:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 525897
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 79428
Number of viruses found: 17
Number of infected objects: 70
Number of suspicious objects: 0
Duration of the scan process: 01:36:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\LightScribe\log\log2504.txt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF47AE.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NL3C23CI\RegistryCleaner[1].exe/RegistryCleaner.exe Infected: not-a-virus:FraudTool.Win32.RegCleanFix.a skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NL3C23CI\RegistryCleaner[1].exe SetupFactory: infected - 1 skipped
C:\Documents and Settings\Administrator\My Documents\maps.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\Documents and Settings\Administrator\My Documents\maps.exe/stream Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\Documents and Settings\Administrator\My Documents\maps.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP164\A0032884.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP167\A0033959.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035040.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035042.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035042.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035045.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035051.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP169\A0036023.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP169\A0036024.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039027.dll Infected: not-a-virus:AdWare.Win32.BHO.oi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039051.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039061.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039070.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039080.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039101.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039109.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039110.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039164.exe Infected: not-a-virus:FraudTool.Win32.RegCleanFix.a skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039167.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.aa skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP173\A0039231.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP173\A0039249.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP173\A0039257.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP175\A0039296.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP176\A0040322.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP176\A0041332.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP176\A0041350.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP176\A0041365.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041653.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041654.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041659.exe Infected: Trojan-Spy.Win32.BZub.buz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041660.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041661.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041662.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041663.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041664.exe Infected: not-virus:Hoax.Win32.Renos.apg skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041665.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041666.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041775.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041781.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041787.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041795.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041824.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP178\A0041832.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP179\A0041845.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP179\A0041879.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP180\A0041894.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP180\A0041899.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP180\A0041907.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP181\A0042073.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP181\A0042335.sys Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042343.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042344.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042345.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042346.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042347.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042348.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP194\change.log Object is locked skipped
C:\VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A548819D-A954-466E-98CC-FB7CE95949D8}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\adsld.dll Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\win10AF.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\WINDOWS\Temp\win10AF.exe/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\WINDOWS\Temp\win10AF.exe/data0005 Infected: Trojan-Downloader.Win32.Agent.hjs skipped
C:\WINDOWS\Temp\win10AF.exe/data0006/data0007 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\Temp\win10AF.exe/data0006 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\Temp\win10AF.exe NSIS: infected - 5 skipped
C:\WINDOWS\Temp\win1179.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\WINDOWS\Temp\win1179.exe/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\WINDOWS\Temp\win1179.exe/data0005 Infected: Trojan-Downloader.Win32.Agent.hjs skipped
C:\WINDOWS\Temp\win1179.exe/data0006/data0007 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\Temp\win1179.exe/data0006 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\Temp\win1179.exe NSIS: infected - 5 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

hleighty
2008-01-23, 15:32
While waiting for a response, I am continuing to pursue and investigate this problem within my limited resources.

Adaware 2007 with latest updates finds three registry entries that can't be handled by either quarantine or removal. After Exporting to a .reg file, attempted manual removal using regedit also fails (Access Denied) even when IE7 is closed (logged in normally to built-in Administrator user account). The three suspicious keys reported by Adaware 2007 that can't be modified or deleted are:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu

In checking the Permissions for this Hive and Key, the only entities that have Full Control is SYSTEM and the local Administrators Group on the local machine. Everyone else (including CREATOR-OWNER) has Read Permission and Special Permissions. But the built-in Administrator user account has an entry showing its permissions set to "Special Permissions" even though this user account is a member of the local Administrators Group. This probably explains why the keys can't be accessed or modified (the most restrictive permissions apply).

I'm awaiting any advice that may become available.

hleighty
2008-01-23, 15:34
While waiting for a response, I am continuing to pursue and investigate this problem within my limited resources.

Adaware 2007 with latest updates finds three registry entries that can't be handled by either quarantine or removal. After Exporting to a .reg file, attempted manual removal using regedit also fails (Access Denied) even when IE7 is closed (logged in normally to built-in Administrator user account). The three suspicious keys reported by Adaware 2007 that can't be modified or deleted are:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu

In checking the Permissions for this Hive and Key, the only entities that have Full Control are SYSTEM and the Administrators Group on the local machine. Everyone else (including CREATOR-OWNER) has Read Permission and Special Permissions. But the built-in Administrator user account has an entry showing its permissions set to "Special Permissions" only, even though this user account is a member of the local Administrators Group. This probably explains why the keys can't be accessed or modified (the most restrictive permissions apply) when logged-in normally to the built-in Administrator user account.

I'm awaiting any advice that may become available.

katana
2008-01-30, 16:01
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D


Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the ComboFix log along with the Kaspersky log in your reply.

hleighty
2008-02-04, 19:04
Thanks for responding. I'm now beginning the procedures you sent me and I will follow the instructions faithfully to the best of my ability. Your help is greatly appreciated. More later when I have the first results.

hleighty
2008-02-04, 20:42
ComboFix 08-01-29.3 - Administrator 2008-02-04 9:58:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT -8:00]
Running from: F:\Security\Spyware\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adsld.dll
C:\WINDOWS\system32\drivers\fcoaugqg.dat
C:\Program Files\Helper
C:\setup.exe
C:\WINDOWS\system32\adsld.dll
C:\WINDOWS\system32\dbddbbaac7_r.dll
C:\WINDOWS\system32\drivers\fcoaugqg.dat
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BWQECBQE
-------\bwqecbqe


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 09:49 . 2004-08-04 04:00 260,272 -r-hs---- C:\cmldr
2008-02-04 09:49 . 2008-01-29 11:58 210 -rahs---- C:\BOOT.BAK
2008-01-30 10:30 . 2008-01-30 10:30 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 10:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-23 03:48 . 2008-01-23 03:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-23 03:48 . 2008-01-23 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 03:47 . 2008-01-23 03:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 16:30 . 2008-01-22 16:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 09:41 . 2008-01-21 09:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 09:41 . 2008-01-21 09:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-20 06:04 . 2008-01-20 06:06 <DIR> d-------- C:\Program Files\WinHex
2008-01-19 13:41 . 2008-01-19 13:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-19 13:41 . 2008-01-23 03:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-19 13:40 . 2008-01-19 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-18 12:13 . 2008-01-18 12:13 23 --a------ C:\WINDOWS\system32\afdffca_r.ocx
2008-01-18 12:12 . 2008-01-18 12:12 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2008-01-18 10:54 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-13 13:59 . 2008-01-19 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-11 00:14 . 2008-01-11 00:14 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-01-11 00:13 . 2008-01-11 00:13 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-10 22:29 . 2007-04-12 02:58 1,052,472 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-10 22:29 . 2007-04-12 02:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-10 22:29 . 2007-04-12 02:58 199,440 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-10 22:29 . 2007-04-12 02:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-10 22:29 . 2007-04-12 02:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-10 22:29 . 2007-04-12 02:58 32,528 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-09 15:22 . 2008-01-09 15:22 <DIR> d-------- C:\Program Files\WinASO
2008-01-09 14:36 . 2008-01-11 08:38 137 --a------ C:\WINDOWS\wininit.ini
2008-01-09 13:29 . 2008-01-20 05:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 12:55 . 2008-01-09 12:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-01-09 12:55 . 2008-01-09 12:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-01-07 13:51 . 2008-01-07 13:52 1,291,662 --a------ C:\Install
2008-01-07 10:30 . 2008-01-09 11:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 10:30 . 2008-01-07 10:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 03:14 . 2008-01-07 12:45 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-01-04 18:24 . 2008-01-04 18:24 <DIR> d-------- C:\WINDOWS\RegistryCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 18:12 --------- d-----w C:\Program Files\Java
2008-01-11 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-09 22:53 188 ----a-w C:\CMDR950I.DAT
2008-01-09 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-07 20:45 --------- d-----w C:\Program Files\Nxdfiedj
2008-01-07 18:59 --------- d-----w C:\Program Files\America Online 9.0
2008-01-07 18:27 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-07 17:51 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-07 17:51 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-19 05:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-19 05:54 --------- d-----w C:\Program Files\Pure Networks
2007-12-19 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-19 05:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GTek
2007-12-19 05:23 --------- d-----w C:\Program Files\MSBuild
2007-12-19 05:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 05:14 --------- d-----w C:\Program Files\Reference Assemblies
2007-12-19 05:05 --------- d-----w C:\Program Files\Three Rings Design
2007-12-19 04:57 --------- d-----w C:\Program Files\HPQ
2007-12-19 04:55 --------- d-----w C:\Program Files\R4 Controller
2007-12-19 04:52 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-19 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-19 03:29 --------- d-----w C:\Program Files\MSD
2007-12-19 03:28 --------- d-----w C:\Program Files\Maxthon
2007-12-19 03:12 --------- d-----w C:\Program Files\Google
2007-12-19 03:08 --------- d-----w C:\Program Files\HandyBits
2007-12-19 03:06 --------- d-----w C:\Program Files\AOL Deskbar
2007-11-14 16:55 164 ----a-w C:\install.dat
2006-12-30 21:23 1,798 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2006-03-07 18:59 8,842 -c--a-r C:\Program Files\VSHARE.38_
2006-03-07 18:59 67,828 -c--a-r C:\Program Files\TABCTL16.OC_
2006-03-07 18:59 64,000 -c--a-r C:\Program Files\STORAGE.DL2
2006-03-07 18:59 580,252 -c--a-r C:\Program Files\VB40016.DL_
2006-03-07 18:59 49,399 -c--a-r C:\Program Files\VBDB16.DL_
2006-03-07 18:59 25,197 -c--a-r C:\Program Files\STORAGE.DL1
2006-03-07 18:59 23,044 -c--a-r C:\Program Files\VAEN21.OL_
2006-03-07 18:59 108,779 -c--a-r C:\Program Files\TYPELIB.DL_
2006-03-07 18:59 1,897 -c--a-r C:\Program Files\VBAJET.DL_
2006-03-07 18:59 1,602 -c--a-r C:\Program Files\WB383SB.95_
2006-03-07 18:59 1,528 -c--a-r C:\Program Files\WBMP2405.95_
2006-03-07 18:59 1,496 -c--a-r C:\Program Files\WBTB7503.95_
2006-03-07 18:59 1,494 -c--a-r C:\Program Files\WBSC14SC.95_
2006-03-07 18:59 1,485 -c--a-r C:\Program Files\TBI7503.95_
2006-03-07 18:59 1,476 -c--a-r C:\Program Files\WB502SYS.95_
2006-03-07 18:59 1,472 -c--a-r C:\Program Files\TBI6502.95_
2006-03-07 18:59 1,472 -c--a-r C:\Program Files\TBI6501.95_
2006-03-07 18:59 1,456 -c--a-r C:\Program Files\WBMP3008.95_
2006-03-07 18:59 1,449 -c--a-r C:\Program Files\WBTBBLWN.95_
2006-03-07 18:59 1,437 -c--a-r C:\Program Files\TBI6503.95_
2006-03-07 18:59 1,420 -c--a-r C:\Program Files\WBTC4CYL.95_
2006-03-07 18:59 1,414 -c--a-r C:\Program Files\ZZ4MPI30.95_
2006-03-07 18:58 98,789 -c--a-r C:\Program Files\OLE2NLS.DL_
2006-03-07 18:58 88,532 -c--a-r C:\Program Files\OLE2DISP.DL_
2006-03-07 18:58 8,000 -c--a-r C:\Program Files\MSJETERR.DL_
2006-03-07 18:58 7,684 -c--a-r C:\Program Files\SCP.DL_
2006-03-07 18:58 617,834 -c--a-r C:\Program Files\MSAJT200.DL_
2006-03-07 18:58 60,352 -c--a-r C:\Program Files\PEGO16A.OC_
2006-03-07 18:58 59,061 -c--a-r C:\Program Files\SETUP1.EX_
2006-03-07 18:58 502,082 -c--a-r C:\Program Files\PEGRP16A.DL_
2006-03-07 18:58 5,762 -c--a-r C:\Program Files\OLE2.RE_
2006-03-07 18:58 44,428 -c--a-r C:\Program Files\PE3DO16A.OC_
2006-03-07 18:58 4,039 -c--a-r C:\Program Files\STKIT416.DL_
2006-03-07 18:58 39,785 -c--a-r C:\Program Files\MSCOMM16.OC_
2006-03-07 18:58 35,579 -c--a-r C:\Program Files\OLE2CONV.DL_
2006-03-07 18:58 306,271 -c--a-r C:\Program Files\OC25.DL_
2006-03-07 18:58 30,624 -c--a-r C:\Program Files\SETUP.EXE
2006-03-07 18:58 274,957 -c--a-r C:\Program Files\PRO950.EX_
2006-03-07 18:58 24,410 -c--a-r C:\Program Files\OLE2PROX.DL_
2006-03-07 18:58 2,856 -c--a-r C:\Program Files\STDOLE.TL_
2006-03-07 18:58 170,995 -c--a-r C:\Program Files\OLE2.DL_
2006-03-07 18:58 12,896 -c--a-r C:\Program Files\MSJETINT.DL_
2006-03-07 18:58 12,148 -c--a-r C:\Program Files\SETUP.LST
2006-03-07 18:58 1,479 -c--a-r C:\Program Files\SC14PSI.95_
2006-03-07 18:58 1,455 -c--a-r C:\Program Files\STLTHZZ4.95_
2006-03-07 18:58 1,447 -c--a-r C:\Program Files\MPI3008.95_
2006-03-07 18:58 1,327 -c--a-r C:\Program Files\R42600.95_
2006-03-07 18:58 1,326 -c--a-r C:\Program Files\R42700.95_
2006-03-07 18:58 1,321 -c--a-r C:\Program Files\R50700.95_
2006-03-07 18:58 1,288 -c--a-r C:\Program Files\R50800.95_
2006-03-07 18:57 74,916 -c--a-r C:\Program Files\DBLIST16.OC_
2006-03-07 18:57 67,072 -c--a-r C:\Program Files\DAO2516.DL2
2006-03-07 18:57 61,684 -c--a-r C:\Program Files\COMPOBJ.DL_
2006-03-07 18:57 46,105 -c--a-r C:\Program Files\COMDLG16.OC_
2006-03-07 18:57 38,144 -c--a-r C:\Program Files\C950CALC.XL_
2006-03-07 18:57 203,301 -c--a-r C:\Program Files\DAO2516.DL1
2006-03-07 18:57 173,744 -c--a-r C:\Program Files\DBGRID16.OC_
2006-03-07 18:57 15,098 -c--a-r C:\Program Files\CTL3DV2.DL_
2006-03-07 18:57 106,413 -c--a-r C:\Program Files\GRDKRN16.DL_
2006-03-07 18:57 1,562 -c--a-r C:\Program Files\MPI2402.95_
2006-03-07 18:57 1,513 -c--a-r C:\Program Files\MPI2405.95_
2006-03-07 18:57 1,504 -c--a-r C:\Program Files\MPI1901.95_
2006-03-07 18:57 1,497 -c--a-r C:\Program Files\MPI3006.95_
2006-03-07 18:57 1,483 -c--a-r C:\Program Files\MPI3007.95_
2006-03-07 18:57 1,480 -c--a-r C:\Program Files\350_85.95_
2006-03-07 18:57 1,469 -c--a-r C:\Program Files\50242PPH.95_
2006-03-07 18:57 1,465 -c--a-r C:\Program Files\MPI3004.95_
2006-03-07 18:57 1,465 -c--a-r C:\Program Files\BBC50PPH.95_
2006-03-07 18:57 1,463 -c--a-r C:\Program Files\383SC.95_
2006-03-07 18:57 1,462 -c--a-r C:\Program Files\502SYSMX.95_
2006-03-07 18:57 1,462 -c--a-r C:\Program Files\350SBC30.95_
2006-03-07 18:57 1,459 -c--a-r C:\Program Files\MPI2403.95_
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 18:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 04:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 12:54 253952]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 02:04 57344]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 00:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 00:50 204800]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"HostManager"="C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe" [2006-09-25 16:52 50736]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 08:06 292152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-19 13:41 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwll32]
winwll32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayabcd]
yayabcd.dll

S3 LBV;LBV;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LBV.exe []
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\Program Files\Unlocker\UnlockerDriver4.sys []
S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 19:30]
S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 19:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 02:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-20 15:00:28 C:\WINDOWS\Tasks\wrSpySweeper20060502143530.job"
??
????.
\- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe*/ScheduleSweep=wrSpySweeper20060502143530
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 10:07:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-04 10:10:01 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-02-04 18:09:56
.
2008-01-10 05:47:37 --- E O F ---

hleighty
2008-02-04, 20:44
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:29 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://c:\program files\common files\aolcoach\en_en\player\plugin\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146596725093
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\Software\..\Telephony: DomainName = feddema.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = feddema.local
O20 - Winlogon Notify: winwll32 - winwll32.dll (file missing)
O20 - Winlogon Notify: yayabcd - yayabcd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LBV - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LBV.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8903 bytes

katana
2008-02-04, 23:16
Do you have the Kaspersky log ?

hleighty
2008-02-05, 01:54
Here is the error message I get when trying to Install the Kaspersky Online Scanner:

"Failed to load Kaspersky Online Scanner ActiveX control!

You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level."

I am logged-in to Windows XP using the built-in Administrator user account. The IE7 Security Settings are at 'Medium'."

hleighty
2008-02-05, 02:01
I ran the Kaspersky Online scanner once before I got a response from Katana. This was before I ran ComboFix. After I finally got my instructions (long wait) I followed them exactly and installed the Recovery Console before running ComboFix. After ComboFix I ran HJT 2.0.2. But the next time I tried to run Kaspersky Online Scanner (that was installed before I got my instructions) it failed to run. I then uninstalled Kaspersky using Add/Remove Programs and then tried to reinstall it again per the instructions. That is when I got the Failure to load the ActiveX control. Same result on my second attempt. I'm stuck right now.

katana
2008-02-05, 02:02
OK, please try this instead

TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK

Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

hleighty
2008-02-05, 02:12
I clicked on the link in the instructions for TotalScan and opened the page at http://www.nanoscan.com/as/index/ where I saw a large green [Scan Now] button with two choices below it, Quick Scan and Full Scan. I chose Full Scan and then clicked [Scan Now]. After a brief wait I was prompted to Allow the ActiveX control. I did so. Then I clicked to [Install]. After another brief wait, the original screen with the big green [Scan Now] button returned. I tried again twice more -- same thing every time. Looks like an endless loop.

katana
2008-02-05, 02:19
It looks like there is a permissions issue somewhere.
Please do the following and then try Kaspersky again.

Please download FixPolicies.exe (http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe) by Bill Castner and save it to your desktop.
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.

hleighty
2008-02-05, 02:45
FixPolicies.cmd completed normally.
Awaiting further instructions.

katana
2008-02-05, 02:50
try Kaspersky again

hleighty
2008-02-05, 04:23
Same behavior for Kaspersky. It fails with a message:

Failed to load Kaspersky Online Scanner ActiveX control!

You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level.

I noticed that during the long wait before the script timed out, Task Manager was showing 99% of CPU cycles were assigned to System Idle Process and 1% of CPU cycles were assigned to taskmgr.exe. The Applications Tab of Task Manager showed all open tasks as "Running" and none were marked as Not Responding. I also noted that there was only very briefly any packets sent and received as network traffic over the LAN. We do have a good connection to the internet and I can PING remote servers with 0% packet loss. It takes several minutes for the Install process to fail and show the error message.

Here is a question: I noticed from the ComboFix Log that the persistent file that previously could not be deleted (filename adsld.dll) was shown as having been deleted, along with several of its friends with equally suspicious filenames. I verified the absence of the known malware file using Windows Explorer. I confirmed that file C:\WINDOWS\System32\adsld.dll is no longer present. That file appears in the eariler HJT log as 02 BHO. It is no longer being reported in the latest HJT log. Could it be that we have already achieved the desired results, notwithstanding the inability to run the Kaspersky scanner? What do you think?

hleighty
2008-02-05, 06:40
Here are some reports of my additional observations:

Before running ComboFix.exe, AVG Antivirus consistenly reported the file C:\WINDOWS\System32\adsld.dll to be an infected file {Trojan Generic9.AJIM}. Each time, the infected object was detected, it was sent to the AVG Virus Vault (quarantine by any other name), only to reappear immediately and be detected again by AVG, etc., in an endless loop of detection/quarantine/repeat.

Inspection of the Virus Vault showed multiple instances of the infected file, one for each time it was quarantined. This detection/quarantine loop had a frequency of about 2-3 detections per minute which made the computer virtually unusable. The short fix was to disable AVG so that the realtime scanner would not automatically start when Windows started. This made the computer "infected but usable".

Since I could not run Kaspersky a second time, I tried AVG again thinking that this might be relevant since AVG previously detected the infection very reliably. With the virus base updated to 2/4/2008, AVG scanned 27,812 objects and found zero errors and zero threats.

So to my untrained eye, the original reason for requesting help seems to be gone now. I think maybe ComboFix did the job and the ComboFix Log and the HJT Log both seem to confirm it.

Here is the telling part of the ComboFix Log:
((( Other Deletions )))
C:\WINDOWS\system32\adsld.dll
C:\WINDOWS\system32\drivers\fcoaugqg.dat
C:\Program Files\Helper
C:\setup.exe
C:\WINDOWS\system32\adsld.dll
C:\WINDOWS\system32\dbddbbaac7_r.dll
C:\WINDOWS\system32\drivers\fcoaugqg.dat
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\mcrh.tmp

The confirmation is in the second HJT Log showing that the BHO c:\windows\system32\adsld.dll is no longer being reported. Further confirmation by AVG lends confidence to the hypothesis that "Maybe It Is Fixed Now".

Your comments on my "Maybe It Is Fixed Now" hypothesis are invited. If you want me to execute any other procedures, please pass me the instructions.

katana
2008-02-05, 12:38
It is very likely that the infection is gone, BUT, malware likes to hide itself these days and a fresh run with an online scanner will tell us if there are any stray files left behind.
The very fact that Kaspersky won't run tells me that something is not right somewhere along the way.


Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



File::
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NL3C23CI\RegistryCleaner[1].exe
C:\Documents and Settings\Administrator\My Documents\maps.exe
C:\WINDOWS\Temp\win10AF.exe
C:\WINDOWS\Temp\win1179.exe
Folder::
Driver::
LBV
UnlockerDriver4
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwll32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayabcd]
ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

hleighty
2008-02-06, 00:47
ComboFix 08-01-29.3 - Administrator 2008-02-05 14:15:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NL3C23CI\RegistryCleaner[1].exe
C:\Documents and Settings\Administrator\My Documents\maps.exe
C:\WINDOWS\Temp\win10AF.exe
C:\WINDOWS\Temp\win1179.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\maps.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_LBV
-------\LEGACY_UNLOCKERDRIVER4
-------\LBV
-------\UnlockerDriver4


((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 09:49 . 2004-08-04 04:00 260,272 -r-hs---- C:\cmldr
2008-02-04 09:49 . 2008-01-29 11:58 210 -rahs---- C:\BOOT.BAK
2008-01-30 10:30 . 2008-01-30 10:30 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 10:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-23 03:48 . 2008-01-23 03:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-23 03:48 . 2008-01-23 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 03:47 . 2008-01-23 03:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 16:30 . 2008-01-22 16:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 09:41 . 2008-01-21 09:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 06:04 . 2008-01-20 06:06 <DIR> d-------- C:\Program Files\WinHex
2008-01-19 13:41 . 2008-01-19 13:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-19 13:41 . 2008-02-04 19:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-19 13:40 . 2008-01-19 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-18 12:13 . 2008-01-18 12:13 23 --a------ C:\WINDOWS\system32\afdffca_r.ocx
2008-01-18 12:12 . 2008-01-18 12:12 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2008-01-18 10:54 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-13 13:59 . 2008-01-19 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-11 00:14 . 2008-01-11 00:14 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-01-11 00:13 . 2008-01-11 00:13 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-10 22:29 . 2007-04-12 02:58 1,052,472 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-10 22:29 . 2007-04-12 02:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-10 22:29 . 2007-04-12 02:58 199,440 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-10 22:29 . 2007-04-12 02:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-10 22:29 . 2007-04-12 02:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-10 22:29 . 2007-04-12 02:58 32,528 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-09 15:22 . 2008-01-09 15:22 <DIR> d-------- C:\Program Files\WinASO
2008-01-09 14:36 . 2008-01-11 08:38 137 --a------ C:\WINDOWS\wininit.ini
2008-01-09 13:29 . 2008-01-20 05:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 12:55 . 2008-01-09 12:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-01-09 12:55 . 2008-01-09 12:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-01-07 13:51 . 2008-01-07 13:52 1,291,662 --a------ C:\Install
2008-01-07 10:30 . 2008-01-09 11:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 10:30 . 2008-01-07 10:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 03:14 . 2008-01-07 12:45 10,752 --a------ C:\WINDOWS\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 18:12 --------- d-----w C:\Program Files\Java
2008-01-11 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-09 22:53 188 ----a-w C:\CMDR950I.DAT
2008-01-09 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-07 20:45 --------- d-----w C:\Program Files\Nxdfiedj
2008-01-07 18:59 --------- d-----w C:\Program Files\America Online 9.0
2008-01-07 18:27 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-07 17:51 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-07 17:51 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-19 05:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-19 05:54 --------- d-----w C:\Program Files\Pure Networks
2007-12-19 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-19 05:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GTek
2007-12-19 05:23 --------- d-----w C:\Program Files\MSBuild
2007-12-19 05:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 05:14 --------- d-----w C:\Program Files\Reference Assemblies
2007-12-19 05:05 --------- d-----w C:\Program Files\Three Rings Design
2007-12-19 04:57 --------- d-----w C:\Program Files\HPQ
2007-12-19 04:55 --------- d-----w C:\Program Files\R4 Controller
2007-12-19 04:52 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-19 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-19 03:29 --------- d-----w C:\Program Files\MSD
2007-12-19 03:28 --------- d-----w C:\Program Files\Maxthon
2007-12-19 03:12 --------- d-----w C:\Program Files\Google
2007-12-19 03:08 --------- d-----w C:\Program Files\HandyBits
2007-12-19 03:06 --------- d-----w C:\Program Files\AOL Deskbar
2007-11-14 16:55 164 ----a-w C:\install.dat
2006-12-30 21:23 1,798 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2006-03-07 18:59 8,842 -c--a-r C:\Program Files\VSHARE.38_
2006-03-07 18:59 67,828 -c--a-r C:\Program Files\TABCTL16.OC_
2006-03-07 18:59 64,000 -c--a-r C:\Program Files\STORAGE.DL2
2006-03-07 18:59 580,252 -c--a-r C:\Program Files\VB40016.DL_
2006-03-07 18:59 49,399 -c--a-r C:\Program Files\VBDB16.DL_
2006-03-07 18:59 25,197 -c--a-r C:\Program Files\STORAGE.DL1
2006-03-07 18:59 23,044 -c--a-r C:\Program Files\VAEN21.OL_
2006-03-07 18:59 108,779 -c--a-r C:\Program Files\TYPELIB.DL_
2006-03-07 18:59 1,897 -c--a-r C:\Program Files\VBAJET.DL_
2006-03-07 18:59 1,602 -c--a-r C:\Program Files\WB383SB.95_
2006-03-07 18:59 1,528 -c--a-r C:\Program Files\WBMP2405.95_
2006-03-07 18:59 1,496 -c--a-r C:\Program Files\WBTB7503.95_
2006-03-07 18:59 1,494 -c--a-r C:\Program Files\WBSC14SC.95_
2006-03-07 18:59 1,485 -c--a-r C:\Program Files\TBI7503.95_
2006-03-07 18:59 1,476 -c--a-r C:\Program Files\WB502SYS.95_
2006-03-07 18:59 1,472 -c--a-r C:\Program Files\TBI6502.95_
2006-03-07 18:59 1,472 -c--a-r C:\Program Files\TBI6501.95_
2006-03-07 18:59 1,456 -c--a-r C:\Program Files\WBMP3008.95_
2006-03-07 18:59 1,449 -c--a-r C:\Program Files\WBTBBLWN.95_
2006-03-07 18:59 1,437 -c--a-r C:\Program Files\TBI6503.95_
2006-03-07 18:59 1,420 -c--a-r C:\Program Files\WBTC4CYL.95_
2006-03-07 18:59 1,414 -c--a-r C:\Program Files\ZZ4MPI30.95_
2006-03-07 18:58 98,789 -c--a-r C:\Program Files\OLE2NLS.DL_
2006-03-07 18:58 88,532 -c--a-r C:\Program Files\OLE2DISP.DL_
2006-03-07 18:58 8,000 -c--a-r C:\Program Files\MSJETERR.DL_
2006-03-07 18:58 7,684 -c--a-r C:\Program Files\SCP.DL_
2006-03-07 18:58 617,834 -c--a-r C:\Program Files\MSAJT200.DL_
2006-03-07 18:58 60,352 -c--a-r C:\Program Files\PEGO16A.OC_
2006-03-07 18:58 59,061 -c--a-r C:\Program Files\SETUP1.EX_
2006-03-07 18:58 502,082 -c--a-r C:\Program Files\PEGRP16A.DL_
2006-03-07 18:58 5,762 -c--a-r C:\Program Files\OLE2.RE_
2006-03-07 18:58 44,428 -c--a-r C:\Program Files\PE3DO16A.OC_
2006-03-07 18:58 4,039 -c--a-r C:\Program Files\STKIT416.DL_
2006-03-07 18:58 39,785 -c--a-r C:\Program Files\MSCOMM16.OC_
2006-03-07 18:58 35,579 -c--a-r C:\Program Files\OLE2CONV.DL_
2006-03-07 18:58 306,271 -c--a-r C:\Program Files\OC25.DL_
2006-03-07 18:58 30,624 -c--a-r C:\Program Files\SETUP.EXE
2006-03-07 18:58 274,957 -c--a-r C:\Program Files\PRO950.EX_
2006-03-07 18:58 24,410 -c--a-r C:\Program Files\OLE2PROX.DL_
2006-03-07 18:58 2,856 -c--a-r C:\Program Files\STDOLE.TL_
2006-03-07 18:58 170,995 -c--a-r C:\Program Files\OLE2.DL_
2006-03-07 18:58 12,896 -c--a-r C:\Program Files\MSJETINT.DL_
2006-03-07 18:58 12,148 -c--a-r C:\Program Files\SETUP.LST
2006-03-07 18:58 1,479 -c--a-r C:\Program Files\SC14PSI.95_
2006-03-07 18:58 1,455 -c--a-r C:\Program Files\STLTHZZ4.95_
2006-03-07 18:58 1,447 -c--a-r C:\Program Files\MPI3008.95_
2006-03-07 18:58 1,327 -c--a-r C:\Program Files\R42600.95_
2006-03-07 18:58 1,326 -c--a-r C:\Program Files\R42700.95_
2006-03-07 18:58 1,321 -c--a-r C:\Program Files\R50700.95_
2006-03-07 18:58 1,288 -c--a-r C:\Program Files\R50800.95_
2006-03-07 18:57 74,916 -c--a-r C:\Program Files\DBLIST16.OC_
2006-03-07 18:57 67,072 -c--a-r C:\Program Files\DAO2516.DL2
2006-03-07 18:57 61,684 -c--a-r C:\Program Files\COMPOBJ.DL_
2006-03-07 18:57 46,105 -c--a-r C:\Program Files\COMDLG16.OC_
2006-03-07 18:57 38,144 -c--a-r C:\Program Files\C950CALC.XL_
2006-03-07 18:57 203,301 -c--a-r C:\Program Files\DAO2516.DL1
2006-03-07 18:57 173,744 -c--a-r C:\Program Files\DBGRID16.OC_
2006-03-07 18:57 15,098 -c--a-r C:\Program Files\CTL3DV2.DL_
2006-03-07 18:57 106,413 -c--a-r C:\Program Files\GRDKRN16.DL_
2006-03-07 18:57 1,562 -c--a-r C:\Program Files\MPI2402.95_
2006-03-07 18:57 1,513 -c--a-r C:\Program Files\MPI2405.95_
2006-03-07 18:57 1,504 -c--a-r C:\Program Files\MPI1901.95_
2006-03-07 18:57 1,497 -c--a-r C:\Program Files\MPI3006.95_
2006-03-07 18:57 1,483 -c--a-r C:\Program Files\MPI3007.95_
2006-03-07 18:57 1,480 -c--a-r C:\Program Files\350_85.95_
2006-03-07 18:57 1,469 -c--a-r C:\Program Files\50242PPH.95_
2006-03-07 18:57 1,465 -c--a-r C:\Program Files\MPI3004.95_
2006-03-07 18:57 1,465 -c--a-r C:\Program Files\BBC50PPH.95_
2006-03-07 18:57 1,463 -c--a-r C:\Program Files\383SC.95_
2006-03-07 18:57 1,462 -c--a-r C:\Program Files\502SYSMX.95_
2006-03-07 18:57 1,462 -c--a-r C:\Program Files\350SBC30.95_
2006-03-07 18:57 1,459 -c--a-r C:\Program Files\MPI2403.95_
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 18:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 04:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 12:54 253952]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 02:04 57344]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 00:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 00:50 204800]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"HostManager"="C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe" [2006-09-25 16:52 50736]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 08:06 292152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-19 13:40 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-19 13:41 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 19:30]
S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 19:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 02:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-20 15:00:28 C:\WINDOWS\Tasks\wrSpySweeper20060502143530.job"
??
????.
\- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe*/ScheduleSweep=wrSpySweeper20060502143530
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 14:22:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
.
**************************************************************************
.
Completion time: 2008-02-05 14:26:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 22:26:05
ComboFix2.txt 2008-02-04 18:10:01
.
2008-01-10 05:47:37 --- E O F ---

hleighty
2008-02-06, 00:47
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-02-05 14:31:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
53: 2008-02-05 22:31:14 UTC - RP212 - Deckard's System Scanner Restore Point
52: 2008-02-05 22:15:03 UTC - RP211 - ComboFix created restore point
51: 2008-02-05 18:15:19 UTC - RP210 - System Checkpoint
50: 2008-02-04 17:58:08 UTC - RP209 - ComboFix created restore point
49: 2008-02-04 13:10:22 UTC - RP208 - System Checkpoint


-- First Restore Point --
1: 2008-01-08 20:06:55 UTC - RP160 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:25 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://c:\program files\common files\aolcoach\en_en\player\plugin\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146596725093
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\Software\..\Telephony: DomainName = feddema.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = feddema.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8692 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S1 eabfiltr - c:\windows\system32\drivers\eabfiltr.sys (file missing)
S3 btaudio (Bluetooth Audio Device) - c:\windows\system32\drivers\btaudio.sys (file missing)
S3 BTDriver (Bluetooth Virtual Communications Driver) - c:\windows\system32\drivers\btport.sys (file missing)
S3 BTWDNDIS (Bluetooth LAN Access Server) - c:\windows\system32\drivers\btwdndis.sys (file missing)
S3 btwhid - c:\windows\system32\drivers\btwhid.sys (file missing)
S3 BTWUSB (WIDCOMM USB Bluetooth Driver) - c:\windows\system32\drivers\btwusb.sys (file missing)
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 FTDIBUS (USB Serial Converter Driver) - c:\windows\system32\drivers\ftdibus.sys (file missing)
S3 FTSER2K (USB Serial Port Driver) - c:\windows\system32\drivers\ftser2k.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>
S3 UPS (Uninterruptible Power Supply) - c:\windows\system32\ups.exe (file missing)
S4 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe (file missing)
S4 PcScnSrv (Trend Micro Protection Against Spyware ) - "c:\progra~1\trendm~1\intern~1\pcscnsrv.exe" (file missing)
S4 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe (file missing)
S4 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe (file missing)
S4 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11b/g WLAN
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1355103C&REV_02\4&5A988DE&0&18F0
Manufacturer: Broadcom
Name: Broadcom 802.11b/g WLAN
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1355103C&REV_02\4&5A988DE&0&18F0
Service: BCM43XX


-- Scheduled Tasks -------------------------------------------------------------

2008-01-31 18:45:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-01-20 07:00:28 2028 --a------ C:\WINDOWS\Tasks\wrSpySweeper20060502143530.job


-- Files created between 2008-01-05 and 2008-02-05 -----------------------------

2008-02-04 09:49:17 0 dr-hs---- C:\cmdcons
2008-02-04 09:49:15 0 d-------- C:\WINDOWS\setup.pss
2008-02-04 09:49:05 0 d-------- C:\WINDOWS\setupupd
2008-01-30 10:30:36 0 d-------- C:\Program Files\CCleaner
2008-01-23 03:48:34 0 d-------- C:\Program Files\Lavasoft
2008-01-23 03:48:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 03:47:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 16:30:50 0 d-------- C:\Program Files\Trend Micro
2008-01-21 09:41:12 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 06:04:24 0 d-------- C:\Program Files\WinHex
2008-01-19 14:36:51 0 dr-h----- C:\$VAULT$.AVG
2008-01-19 13:41:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-19 13:41:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-19 13:40:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-18 12:12:52 0 d-------- C:\Program Files\jv16 PowerTools 2007
2008-01-13 13:59:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-11 00:14:21 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-01-11 00:13:31 0 d-------- C:\Program Files\MSECACHE
2008-01-09 15:22:01 0 d-------- C:\Program Files\WinASO
2008-01-09 13:29:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 12:55:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-01-09 12:55:19 0 d-------- C:\Program Files\BillP Studios
2008-01-09 11:51:25 0 d-------- C:\WINDOWS\pss
2008-01-08 12:10:23 0 d--h----- C:\Documents and Settings\LocalService\SendTo
2008-01-08 12:06:42 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-01-08 12:06:42 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-01-07 16:24:42 5505024 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-01-07 13:51:27 1291662 --a------ C:\Install
2008-01-06 03:14:44 10752 --a------ C:\WINDOWS\DCEBoot.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-30 10:12:22 0 d-------- C:\Program Files\Java
2008-01-23 03:47:57 0 d-------- C:\Program Files\Common Files
2008-01-09 15:59:08 0 d-------- C:\Program Files\Online Services
2008-01-09 14:53:12 188 --a------ C:\CMDR950I.DAT
2008-01-07 12:45:03 0 d-------- C:\Program Files\Nxdfiedj
2008-01-07 10:59:55 0 d-------- C:\Program Files\America Online 9.0
2008-01-07 10:27:58 0 d-------- C:\Program Files\Common Files\AOL
2008-01-07 09:51:54 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-01-07 09:51:53 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-12-18 21:54:40 0 d-------- C:\Program Files\Yahoo!
2007-12-18 21:54:40 0 d-------- C:\Program Files\Pure Networks
2007-12-18 21:40:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\GTek
2007-12-18 21:23:12 0 d-------- C:\Program Files\MSBuild
2007-12-18 21:15:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-18 21:14:56 0 d-------- C:\Program Files\Reference Assemblies
2007-12-18 21:05:56 0 d-------- C:\Program Files\Three Rings Design
2007-12-18 20:57:37 0 d-------- C:\Program Files\HPQ
2007-12-18 20:55:27 0 d-------- C:\Program Files\R4 Controller
2007-12-18 20:52:00 0 d-------- C:\Program Files\MSXML 6.0
2007-12-18 19:29:07 0 d-------- C:\Program Files\MSD
2007-12-18 19:28:40 0 d-------- C:\Program Files\Maxthon
2007-12-18 19:12:22 0 d-------- C:\Program Files\Google
2007-12-18 19:08:35 0 d-------- C:\Program Files\HandyBits
2007-12-18 19:06:34 0 d-------- C:\Program Files\AOL Deskbar
2007-12-17 17:51:42 0 --a------ C:\127924536
2007-11-14 08:55:01 164 --a------ C:\install.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/02/2005 04:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/15/2007 02:27 AM]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 12:54 PM]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [01/16/2004 02:04 AM]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 12:51 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 12:50 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/15/2007 02:29 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe" [09/25/2006 04:52 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [10/26/2007 08:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/19/2008 01:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/09/2004 06:00 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 07:05 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-02-05 14:34:08 ------------

hleighty
2008-02-06, 00:48
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 510.48 MiB / 150.06 MiB
Pagefile Memory (total/avail): 1245.2 MiB / 921.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.6 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 51.83 GiB free.
D: is CDROM (No Media)
F: is Removable (FAT)

\\.\PHYSICALDRIVE0 - TOSHIBA MK8026GAX - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

\\.\PHYSICALDRIVE1 - USB Device - 972.69 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 976.47 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.) Disabled
AV: AVG 7.5.516 v7.5.516 (Grisoft)
AV: Trend Micro PC-cillin Internet Security 2007 v15.30.1239 (Trend Micro, Inc.) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PAVILION
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\PAVILION
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\web_dev\imagemagick;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\TortoiseCVS;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\AOL\System Information
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=PAVILION
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type93 / Error
Event Submitted/Written: 02/04/2008 10:10:12 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application lsburnwatcher.exe, version 4.10.14.0, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [lsburnwatcher.exe!ws!]

Event Record #/Type87 / Warning
Event Submitted/Written: 02/04/2008 10:03:34 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type80 / Warning
Event Submitted/Written: 02/03/2008 03:15:40 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type58 / Warning
Event Submitted/Written: 01/29/2008 00:18:16 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type44 / Warning
Event Submitted/Written: 01/24/2008 01:27:40 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22459 / Warning
Event Submitted/Written: 02/04/2008 09:38:59 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {CD69B4F5-DB67-41A5-B134-5279BE8FCEE7}

Host Name : pavilion

Primary Domain Suffix : feddema.local

DNS server list :

68.87.69.146, 68.87.85.98

Sent update to server : <?>

IP Address(es) :

192.168.1.101


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type22436 / Warning
Event Submitted/Written: 02/04/2008 09:00:19 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {CD69B4F5-DB67-41A5-B134-5279BE8FCEE7}

Host Name : pavilion

Primary Domain Suffix : feddema.local

DNS server list :

68.87.69.146, 68.87.85.98

Sent update to server : <?>

IP Address(es) :

192.168.1.101


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type22422 / Warning
Event Submitted/Written: 02/04/2008 10:21:40 AM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {CD69B4F5-DB67-41A5-B134-5279BE8FCEE7}

Host Name : pavilion

Primary Domain Suffix : feddema.local

DNS server list :

68.87.69.146, 68.87.85.98

Sent update to server : <?>

IP Address(es) :

192.168.1.101


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type22403 / Error
Event Submitted/Written: 02/04/2008 10:02:29 AM
Event ID/Source: 11 / PlugPlayManager
Event Description:
The device Root\LEGACY_BWQECBQE\0000 disappeared from the system without first being prepared for removal.

Event Record #/Type22402 / Error
Event Submitted/Written: 02/04/2008 10:02:28 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053



-- End of Deckard's System Scanner: finished at 2008-02-05 14:34:08 ------------

katana
2008-02-06, 01:01
Well, that doesn't show much that would be causing trouble ???
Are you using IE for all these scans ?
Check that Active X is allowed.


Lets try this

Run Panda Online Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Run Panda's ActiveScan from here (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop
Please post the log in your reply

hleighty
2008-02-06, 01:57
I verified the IE7 > Tools > Internet Options > Security > Custom Level settings do allow ActiveX controls (and even Scriptlets) to run without prompting.

I will run the Panda process and report back.

hleighty
2008-02-06, 02:24
From the Panda site you gave me in the link, the procedure you outlined in your instructions was not strictly followed by the website. There was an attempt to d/l and install an ActiveX control, and I allowed it. The process failed with an error message stating the following:

"Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... "

There is no antivirus or antispyware running.
WinPatrol is not running. The Windows XP SP2 Firewall is the only firewall that is running. All TrendMicro products have been uninstalled but some persistent remnants exist in the Registry and there are two Run links (that don't work) in the Windows Security Center.

This machine was previously used by a 14 years old male with Asperger's Syndrome (a savant with a talent for getting in trouble with computers) and the machine came to me from his grandfather asking for help after the machine became mostly unusable with multiple malware infections, most of which I removed before coming to your group for the last piece of help needed.

I needed to ask for your help for the persistent malware file, adsld.dll and its unidentified tag-team of friends.

There are a lot of quirks in this machine that has suffered from many installs and uninstalls of all kinds of security products and this is obvious from inspecting the Registry. Before I cam to this forum, I had used WINASO v2.7, a fairly reliable registry cleaner. But, like all registry cleaners, there are a lot of things they don't check for.

I feel like we are 'almost home' with this problem machine, but this quirky ActiveX problem is just strange, since the settings seem to be correct.

So now I am going to follow the instruction in the error message and restart the system and try again. More to follow later when results after the restart are known.

hleighty
2008-02-06, 02:36
In answer to the error message received from the failed Panda process, the following is noted:

There is ample space on the hard disk. There is nothing wrong with the internet connection (Comcast Broadband, my LAN). I am logged-on to Windows XP as the built-in Administrator user account.

Privileges might be an issue, since I noticed previously and reported it here, that AdAware found three Registry entries that could not be edited nor deleted. Those registry keys (reported previosuly on maybe page 1 of this thread) had Permissions set to "Special Permissions" for the built-in Administrator user account.

Maybe this is nothing, but I found it curious that the SYSTEM user account and members of the Local Administrators Group have Full Control; but the built-in Administrator user account only has "Special Permissions".

Here again is what I wrote from that previous entry:

Adaware 2007 with latest updates finds three registry entries that can't be handled by either quarantine or removal. After Exporting to a .reg file, attempted manual removal using regedit also fails (Access Denied) even when IE7 is closed (logged in normally to built-in Administrator user account). The three suspicious keys reported by Adaware 2007 that can't be modified or deleted are:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu

In checking the Permissions for this Hive and Key, the only entities that have Full Control is SYSTEM and the local Administrators Group on the local machine. Everyone else (including CREATOR-OWNER) has Read Permission and Special Permissions. But the built-in Administrator user account has an entry showing its permissions set to "Special Permissions" even though this user account is a member of the local Administrators Group. This probably explains why the keys can't be accessed or modified (the most restrictive permissions apply).

hleighty
2008-02-06, 02:41
Regedit shows that the three subkeys previously mentioned no longer exist. Neither does the parent key. One or another of the tools we have used must have taken them out.

katana
2008-02-06, 02:47
Well it certainly seems to be messed up somewhere :sick:

These permissions issues may cause trouble in the future, so it is up to you if you want to try and sort them now.

I can see two options to try at the moment.
1) reinstall/repair IE
2) Create a new user account with Admin rights and see if the scans will work from that account.

hleighty
2008-02-06, 07:16
It is much easier to just create a new user account as a member of the local Administrator's Group than it is to repair/reinstall IE7. So I will try that easier attack first and then see if we can install ActiveX controls and run Kaspersky or Panda. If that fails too, then we can try doing it the harder way. I will try the easy way first and report back to you.

hleighty
2008-02-06, 22:38
I used a different (previously created but never used) user account with Administrator privileges and was successful in downloading, installing, and updating the Kaspersky Online Scanner. The scan proceeded normally and produced a log file that is appended below. This happy result makes it appear to me that the built-in Administrator user account is damaged in some unidentified way that interferes with ActiveX controls. This different user account suffered no such problems.

Here below is the Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 12:31:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/02/2008
Kaspersky Anti-Virus database records: 550947
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 62220
Number of viruses found: 16
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 01:18:06

Infected Object Name / Virus Name / Last Action
C:\60df39ba65287d8504\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_ac629541-b47f-414b-a05a-c1f555477fe4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robert N. Browning\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\My Documents\maps.exe.vir/stream/data0008 Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\My Documents\maps.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\My Documents\maps.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\fcoaugqg.dat.vir Object is locked skipped
C:\QooBox\Quarantine\catchme2008-02-04_100654.04.zip/fcoaugqg.dat Infected: Rootkit.Win32.Agent.tw skipped
C:\QooBox\Quarantine\catchme2008-02-04_100654.04.zip/fcoaugqg.dat.1 Infected: Rootkit.Win32.Agent.tw skipped
C:\QooBox\Quarantine\catchme2008-02-04_100654.04.zip/adsld.dll Infected: Trojan.Win32.BHO.agz skipped
C:\QooBox\Quarantine\catchme2008-02-04_100654.04.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP164\A0032884.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP167\A0033959.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035040.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035042.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035042.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035045.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035051.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP169\A0036023.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP169\A0036024.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039164.exe Infected: not-a-virus:FraudTool.Win32.RegCleanFix.a skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041653.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041654.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041659.exe Infected: Trojan-Spy.Win32.BZub.buz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041660.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041661.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041662.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041663.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041664.exe Infected: not-virus:Hoax.Win32.Renos.apg skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041665.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041666.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP181\A0042335.sys Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042343.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042344.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042345.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042346.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042347.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042348.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP212\change.log Object is locked skipped
C:\VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FE150C09-67CE-4BC1-A7E3-F64C4CBFE62B}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\Security\Spyware\Removal\EClea2_0.exe Infected: not-a-virus:FraudTool.Win32.ErrorDoctor.b skipped

Scan process completed.

katana
2008-02-06, 22:52
I would consider moving all the files you want over to this other admin account and deleting the original one.
We have no way of knowing what else has been done with the permissions to it.

After all that the only thing it found was F:\Security\Spyware\Removal\EClea2_0.exe. This will need deleting.

Congratulations your logs look clean :bigthumb:

Let's see if I can help you keep it that way

First lets tidy up :)

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.nanoscan.com
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 (http://www.ewido.net/en/) <<< A good "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 3.5.1 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/content/view/19/2/) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep


Also PLEASE read this article.......So How Did I Get Infected In The First Place (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

hleighty
2008-02-07, 00:40
The user account that has the problem with ActiveX controls is the built-in Administrator user account that comes standard with the XP operating system. That account cannot be deleted. But some files can indeed be moved to the alternate user account, and this will be done.

katana
2008-02-07, 01:10
:bigthumb:

Are there any other problems you have ?

hleighty
2008-02-08, 19:49
The machine seems to be clean now and is working as it should. I want to thank you very much for your able assistance. I would also like to make a modest donation to help support the work of the forum. If you can pass me a link where I can do that, I will be pleased to do so.

Lastly, your work with me has inspired me to want to study the curriculum at the MRU. I feel like I have a good technical understanding that goes well beyond an ordinary user and it would be good give something back and to enhance and apply my skills in this ongoing worldwide battle against the malware authors. I would be grateful to hear your remarks about your own experience in the MRU, for example how difficult is the curriculum and how long does it take to become qualified?

Yes, this thread can now be archived. Please tell me how to find the archives so I can research some other cases and learn that way too. Thanks again.

Howard Leighty, Vancouver, Washington USA GMT-8

katana
2008-02-08, 21:09
We are always grateful of donations, they help keep this service available for everybody's benefit.
http://www.spybot.info/en/donate/index.html
On behalf of myself and the rest of the staff,
Thankyou Very Much !!!


As for wanting to learn, and join the fight, that is far more valuable to us :bigthumb:

I can honestly say that my experience at MRU and all the other forums where I help was/is fantastic !!
You will meet a bunch of people who are more than willing to share their knowledge. And believe me some have an awful lot to share !
The teachers are very patient and helpful, and will guide you through the test logs.
Asking questions is expected, and their moto is,
"The only stupid question is the one you don't ask"
So don't be shy.
How long it takes is entirely up to you, there is no time limit on how fast you go.

Be prepared though, the work is not all easy !
Malware is by it's nature a tricky beast to deal with, and it is getting harder every day.

Now, having just said that it is not easy, be prepared to laugh a lot :laugh:
The antimalware community is made up of people who do this because we ENJOY IT !!! and we generally have fun.

Most forums have an archive section for the completed threads, and you will soon learn how to find them.
The Spybot one is here:-
http://forums.spybot.info/forumdisplay.php?f=23

If you have any other questions, just ask :cool:

I hope to see you enrolled soon :bigthumb::bigthumb:

Edit:- just a tip, but don't use a screen name that can be traced to you when you enroll.
The bad boys have been known to cause hassle.

hleighty
2008-02-09, 20:45
Katana:

Thanks for your remarks and for the tip about a screen name. I will be exploring the MRU forums and, since the main computer I have could possibly have some unknown malware, I know that MRU wants me to make sure my own computer is clean first before enrolling. So I will probably start a new thread over there for getting my own box certified as clean, even though I have no symptoms that I am aware of. I'm a little different in that I run Windows 2000 Professional SP4 (great O/S).

Thanks again for all you do.
I'm going to enroll in MRU and get edjumicated.

Howard Leighty (http://math-wizard.com), Vancouver, WA USA UTC-8

katana
2008-02-09, 21:06
Great stuff :)

I agree, W2K is a nice OS ... I use it myself :laugh: