View Full Version : Antivirus XP 2008 causinf problems. Please help.
I'm currently using Windows 2000 Professional. Antivirus XP 2008 is on my computer and i cant get rid of it. There's a box in the middle of the screen saying: Warning! spyware detected on your computer! Install and antivirus or spyware remover to clean your computer.
I followed the instructions on the BEFORE you POST thread, but i even after multiple attempts to remove the problems in red theres always 2 that cant get removed.
Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:50 PM, on 8/22/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\System32\lphc57dj0et2g.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {AE75F0AA-0C09-3646-8A7B-28B24300F4B3} - corrida.dll (file missing)
R3 - URLSearchHook: (no name) - {C911510E-E118-7A41-1C46-3B7495D7F222} - xsetup.dll (file missing)
F3 - REG:win.ini: load=C:\WINNT\System32\rhdxqvesf\csrss.exe
F3 - REG:win.ini: run=C:\WINNT\System32\rhdxqvesf\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINNT\System32\msxml71.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINNT\System32\nbthlp.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [blah service] x[X]x.exe
O4 - HKLM\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [progmen] abrek.exe
O4 - HKLM\..\Run: [wormexe] iehelper.exe
O4 - HKLM\..\Run: [Dest068] sysconf16.exe
O4 - HKLM\..\Run: [startman] StatusCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lphc57dj0et2g] C:\WINNT\System32\lphc57dj0et2g.exe
O4 - HKLM\..\Run: [SMrhc17dj0et2g] C:\Program Files\rhc17dj0et2g\rhc17dj0et2g.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINNT\System32\sysrest32.exe
O4 - HKLM\..\RunServices: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Windows SRM32 Pass] srm32.exe
O4 - HKLM\..\RunServices: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [blah service] x[X]x.exe
O4 - HKLM\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKCU\..\Run: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKCU\..\Run: [Windows SRM32 Pass] srm32.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\Run: [porka_] progmen.exe
O4 - HKCU\..\Run: [MONITER] hyandex.exe
O4 - HKCU\..\Run: [lpt] MONITER.exe
O4 - HKCU\..\Run: [teqq32] srbho.exe
O4 - HKCU\..\Run: [BoundRec] iesetupdll.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKUS\.DEFAULT\..\Run: [Micr Update] soundblaster.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft MCT64 Center] nmc32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Sygate Personal Firewall Start] servic.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Logon Service] winlogon.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Login Security] winlogin.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
--
End of file - 8517 bytes
Thanks for the help.
Hello Fidos
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
I have to tell ya , I have been at this for almost 7 years and this is one of the most heavily infected computers that I have ever seen. Anti Virus XP is just the tip of the iceburg, you have a rootkit infection that can leave your system compromised which means even if we try to clean all the infections off this system I would be leary about doing any online transactions. You also have many other malware infections. My best advice is to reformat and do a clean install of windows, windows 2000 is a bit dated anyway, I would upgrade to XP. If you want to proceed with the cleaning, I can't guarantee that we can get it all but we can try. Let me know what you want to do.
Sure, let's proceed with the cleaning and i might reformat if it doesn't work. Thank you for the help.
Good Morning Fidos,
Lets get started. As to not overwhelm you we will run a program, post the report along with a new HJT log so we can see where we're at before we proceed running another tool.
Do this first...Important
Disable the TeaTimer, leave it disabled until we're done,
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
FixWareout Subratam (http://downloads.subratam.org/Fixwareout.exe)
FixWareout Lonny (http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe)
Save it to your desktop and run it.
Click Next, then Install,
Then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply.
Now lets check some settings on your system. For (2000/XP) Only)
Go to Start > control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl.
Left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems
Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter
Let me see the Wareout Report and a new HJT log please
here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:42 AM, on 8/25/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {AE75F0AA-0C09-3646-8A7B-28B24300F4B3} - corrida.dll (file missing)
R3 - URLSearchHook: (no name) - {C911510E-E118-7A41-1C46-3B7495D7F222} - xsetup.dll (file missing)
F3 - REG:win.ini: load=C:\WINNT\System32\rhdxqvesf\csrss.exe
F3 - REG:win.ini: run=C:\WINNT\System32\rhdxqvesf\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINNT\System32\msxml71.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINNT\System32\nbthlp.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [blah service] x[X]x.exe
O4 - HKLM\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [progmen] abrek.exe
O4 - HKLM\..\Run: [wormexe] iehelper.exe
O4 - HKLM\..\Run: [Dest068] sysconf16.exe
O4 - HKLM\..\Run: [startman] StatusCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lphc57dj0et2g] C:\WINNT\System32\lphc57dj0et2g.exe
O4 - HKLM\..\Run: [SMrhc17dj0et2g] C:\Program Files\rhc17dj0et2g\rhc17dj0et2g.exe
O4 - HKLM\..\RunServices: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Windows SRM32 Pass] srm32.exe
O4 - HKLM\..\RunServices: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [blah service] x[X]x.exe
O4 - HKLM\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKCU\..\Run: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKCU\..\Run: [Windows SRM32 Pass] srm32.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\Run: [porka_] progmen.exe
O4 - HKCU\..\Run: [MONITER] hyandex.exe
O4 - HKCU\..\Run: [lpt] MONITER.exe
O4 - HKCU\..\Run: [teqq32] srbho.exe
O4 - HKCU\..\Run: [BoundRec] iesetupdll.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKUS\.DEFAULT\..\Run: [Micr Update] soundblaster.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft MCT64 Center] nmc32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Sygate Personal Firewall Start] servic.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Logon Service] winlogon.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Login Security] winlogin.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
--
End of file - 8339 bytes
and heres the fixwareout report:
Username "Lee" - 08/25/2008 11:08:31 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"LoadQM"="loadqm.exe"
"Micr Update"="soundblaster.exe"
"Microsoft MCT64 Center"="nmc32.exe"
"M_S DVD DirectX Dll Drivers"="msxdl.exe"
"Netbios Helper"="C:\\WINNT\\System32\\nbthlp.exe"
"Sygate Personal Firewall Start"="servic.exe"
"blah service"="x[X]x.exe"
"Windows Logon Service"="winlogon.pif"
"MS Windows Security Updater"="updater.pif"
"Windows Update Service"="update32.pif"
"progmen"="abrek.exe"
"wormexe"="iehelper.exe"
"Dest068"="sysconf16.exe"
"startman"="StatusCheck.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"EPSON Stylus CX4200 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P26 \"EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"lphc57dj0et2g"="C:\\WINNT\\System32\\lphc57dj0et2g.exe"
"SMrhc17dj0et2g"="C:\\Program Files\\rhc17dj0et2g\\rhc17dj0et2g.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Micr Update"="soundblaster.exe"
"Microsoft MCT64 Center"="nmc32.exe"
"Microsoft MicroP Protocol"="wdgmr32.exe"
"Windows SRM32 Pass"="srm32.exe"
"Spyware Vanisher"="c:\\spywarevanisher-free\\FreeScanner.exe -FastScan"
"M_S DVD DirectX Dll Drivers"="msxdl.exe"
"Windows Logon Service"="winlogon.pif"
"porka_"="progmen.exe"
"MONITER"="hyandex.exe"
"lpt"="MONITER.exe"
"teqq32"="srbho.exe"
"BoundRec"="iesetupdll.exe"
"Steam"="C:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINNT\System32\AUTOEXEC.NT missing
~~~~~ End report ~~~~~
Still more to do
This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Sorry this morning's reply took so long. I was kind of busy.
Here's the report from SDFix:
SDFix: Version 1.219
Run by Lee on Mon 08/25/2008 at 3:52p
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix
Checking Services :
Name :
Hpdriver
sysrest.sys
Path :
\??\C:\WINNT\system32\hpdriver.sys
\??\C:\WINNT\System32\sysrest.sys
Hpdriver - Deleted
sysrest.sys - Deleted
AUTOEXEC.NT Restored from backups
Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Rebooting
Checking Files :
Trojan Files Found:
C:\WINNT\system32\lphc57dj0et2g.exe - Deleted
C:\WINNT\system32\phc57dj0et2g.bmp - Deleted
C:\WINNT\SYSTEM32\SETUP_~3.EXE - Deleted
C:\WINNT\SYSTEM32\SETUP_~4.EXE - Deleted
C:\WINNT\system32\djqkib\csrss.ini - Deleted
C:\WINNT\system32\emswynff\csrss.ini - Deleted
C:\WINNT\system32\hcydcb\csrss.ini - Deleted
C:\WINNT\system32\kkawezigl\csrss.ini - Deleted
C:\WINNT\system32\rhdxqvesf\csrss.ini - Deleted
C:\DOCUME~1\Lee\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\Lee\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\b.bat - Deleted
C:\WINNT\m.bat - Deleted
C:\WINNT\p.bat - Deleted
C:\WINNT\r.bat - Deleted
C:\WINNT\t.bat - Deleted
C:\WINNT\l.exe - Deleted
C:\WINNT\system32\2.tmp - Deleted
C:\WINNT\system32\setup_17160.exe - Deleted
C:\WINNT\system32\setup_50306.exe - Deleted
C:\WINNT\system32\setup_72713.exe - Deleted
C:\WINNT\system32\setup_88034.exe - Deleted
C:\Documents and Settings\Lee\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk - Deleted
C:\.exe - Deleted
C:\WINNT\system32\msxml71.dll - Deleted
C:\WINNT\system32\sysrest.sys - Deleted
Folder C:\Documents and Settings\Lee\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 16:04:44
Windows 5.0.2195 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E37DD93-98C7-1D8F-31A5-2F8600B5CD22}]
"bbmjmancapgclcglloefiohjhddonlcifibk?"=hex:6b,61,63,6c,68,68,67,70,6c,63,63,62,68,62,66,65,65,64,68,6a,61,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8DE961C-1C71-C374-682D-0E18CD5C58BF}]
"bbfcglbcipjmlbphkafjljhnjbjhdjpicfnm?"=hex:6b,61,70,6b,70,6a,6f,6c,6b,6b,69,6c,65,66,61,66,66,65,61,6e,6b,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 29 Oct 2005 157,696 A..H. --- "C:\WINNT\system32\qnggfz.exe"
Thu 4 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Finished!
and here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:24 PM, on 8/25/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {AE75F0AA-0C09-3646-8A7B-28B24300F4B3} - corrida.dll (file missing)
R3 - URLSearchHook: (no name) - {C911510E-E118-7A41-1C46-3B7495D7F222} - xsetup.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINNT\System32\nbthlp.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [progmen] abrek.exe
O4 - HKLM\..\Run: [wormexe] iehelper.exe
O4 - HKLM\..\Run: [Dest068] sysconf16.exe
O4 - HKLM\..\Run: [startman] StatusCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMrhc17dj0et2g] C:\Program Files\rhc17dj0et2g\rhc17dj0et2g.exe
O4 - HKLM\..\RunServices: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Windows SRM32 Pass] srm32.exe
O4 - HKLM\..\RunServices: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKCU\..\Run: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKCU\..\Run: [Windows SRM32 Pass] srm32.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\Run: [porka_] progmen.exe
O4 - HKCU\..\Run: [MONITER] hyandex.exe
O4 - HKCU\..\Run: [lpt] MONITER.exe
O4 - HKCU\..\Run: [teqq32] srbho.exe
O4 - HKCU\..\Run: [BoundRec] iesetupdll.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKUS\.DEFAULT\..\Run: [Micr Update] soundblaster.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft MCT64 Center] nmc32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Sygate Personal Firewall Start] servic.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Logon Service] winlogon.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Login Security] winlogin.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
--
End of file - 7833 bytes
Not to worry about the replies, run the programs and post when you can.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
The program doesn't work. I downloaded it from both links and when i try to install or open Malwarenytes' Anti-Malware they give me this error code: 718 (-2146893799,0).
Lets try this .
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Here's the combofix log:
ComboFix 08-08-24.03 - Lee 08/25/2008 19:27:00.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.127 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\#SharedObjects\PZ47KJSE\interclick.com
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\#SharedObjects\PZ47KJSE\interclick.com\ud.sol
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\Common Files\uninstall information
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\WINNT\system32\3.tmp
C:\WINNT\system32\4.tmp
C:\WINNT\system32\5.tmp
C:\WINNT\system32\8.tmp
C:\WINNT\system32\actskn43.ocx
C:\WINNT\system32\launcher.exe
C:\WINNT\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MAPI
-------\Legacy_RDRIV
-------\Service_MAPI
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 21:40 . 08-08-25 18:14 454,538 ---h----- C:\WINNT\ShellIconCache
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-08-18 21:22 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]
C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Defragmentation Manager]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dxdmain]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\GencTurK RootKit]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LSA Server]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcClient]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rpcmon]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCardClnt]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sound Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S2 dxdmain;DirectX Graphics;C:\WINNT\System32\dxdmain.exe []
S2 mcsecure;msecure;C:\WINNT\mcsecure.exe []
S2 netinfo;netinfo;C:\WINNT\netinfo.exe []
S2 RpcClient;Remote Procedure Call (RPC) Client;C:\WINNT\System32\rpcclient.exe []
S2 Rpcmon;Remote Procedure Call (RPC) Monitoring;C:\WINNT\system32\ooo.exe []
S2 SCardClnt;Smart Card Client;C:\WINNT\System32\SCardClnt.exe []
S2 Zonelaps;AntiSpyUltra;C:\WINNT\vsmom.exe []
S3 GencTurK RootKit Driver;GencTurK RootKit Driver;C:\system.sys []
S3 msvnc;msvnc;C:\WINNT\system32\msvnc.sys []
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys [99-09-25 00:55 ]
S4 Defragmentation Manager;Managing FAT and NTFS partitions;C:\WINNT\System32\dfrgfat16.exe []
S4 GencTurK RootKit;TurkSpy For RootKit;C:\system.exe []
S4 Keyboard Service;Keyboard Service System Files;C:\WINNT\System32\keyboard.exe []
S4 LSA Server;Local Security Authority Server;C:\WINNT\system32\msupdater.exe []
S4 Sound Service;Sound Sservice Driver ;C:\WINNT\System32\cfmon.exe []
NETSVCS REQUIRES REPAIRS - current entries shown
EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Tapisrv
Ntmssvc
WmdmPmSN
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{AE75F0AA-0C09-3646-8A7B-28B24300F4B3} - corrida.dll
URLSearchHooks-{C911510E-E118-7A41-1C46-3B7495D7F222} - xsetup.dll
HKCU-Run-Spyware Vanisher - c:\spywarevanisher-free\FreeScanner.exe
HKCU-Run-Steam - C:\Program Files\Valve\Steam\Steam.exe
HKCU-Run-Micr Update - soundblaster.exe
HKCU-Run-Microsoft MCT64 Center - nmc32.exe
HKCU-Run-Microsoft MicroP Protocol - wdgmr32.exe
HKCU-Run-Windows SRM32 Pass - srm32.exe
HKCU-Run-M_S DVD DirectX Dll Drivers - msxdl.exe
HKCU-Run-Windows Logon Service - winlogon.pif
HKCU-Run-porka_ - progmen.exe
HKCU-Run-MONITER - hyandex.exe
HKCU-Run-lpt - MONITER.exe
HKCU-Run-teqq32 - srbho.exe
HKCU-Run-BoundRec - iesetupdll.exe
HKCU-RunServices-M_S DVD DirectX Dll Drivers - msxdl.exe
HKCU-RunServices-Windows Logon Service - winlogon.pif
HKCU-RunServices-MS Windows Security Updater - updater.pif
HKCU-RunServices-Windows Update Service - update32.pif
HKLM-Run-Netbios Helper - C:\WINNT\System32\nbthlp.exe
HKLM-Run-SMrhc17dj0et2g - C:\Program Files\rhc17dj0et2g\rhc17dj0et2g.exe
HKLM-Run-Micr Update - soundblaster.exe
HKLM-Run-Microsoft MCT64 Center - nmc32.exe
HKLM-Run-M_S DVD DirectX Dll Drivers - msxdl.exe
HKLM-Run-Sygate Personal Firewall Start - servic.exe
HKLM-Run-MS Windows Security Updater - updater.pif
HKLM-Run-Windows Update Service - update32.pif
HKLM-Run-progmen - abrek.exe
HKLM-Run-wormexe - iehelper.exe
HKLM-Run-Dest068 - sysconf16.exe
HKLM-Run-startman - StatusCheck.exe
HKLM-RunServices-Microsoft MicroP Protocol - wdgmr32.exe
HKLM-RunServices-Micr Update - soundblaster.exe
HKLM-RunServices-Windows SRM32 Pass - srm32.exe
HKLM-RunServices-Microsoft MCT64 Center - nmc32.exe
HKLM-RunServices-FireWire Service - nvscv32.exe
HKLM-RunServices-M_S DVD DirectX Dll Drivers - msxdl.exe
HKLM-RunServices-Sygate Personal Firewall Start - servic.exe
HKLM-RunServices-MS Windows Security Updater - updater.pif
HKLM-RunServices-Windows Update Service - update32.pif
HKU-Default-Run-Micr Update - soundblaster.exe
HKU-Default-Run-Microsoft MCT64 Center - nmc32.exe
HKU-Default-Run-M_S DVD DirectX Dll Drivers - msxdl.exe
HKU-Default-Run-Sygate Personal Firewall Start - servic.exe
HKU-Default-Run-Windows Logon Service - winlogon.pif
HKU-Default-Run-Windows Login Security - winlogin.pif
HKU-Default-RunServices-M_S DVD DirectX Dll Drivers - msxdl.exe
HKU-Default-RunServices-Windows Logon Service - winlogon.pif
HKU-Default-RunServices-Windows Login Security - winlogin.pif
HKU-Default-RunServices-Windows Update Service - update32.pif
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 19:34:34
Windows 5.0.2195 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\DOCUME~1\Lee\LOCALS~1\Temp\fb1.tmp 16384 bytes
C:\DOCUME~1\Lee\LOCALS~1\Temp\~DF4575.tmp 512 bytes
scan completed successfully
hidden files: 2
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [156]
??\C:\WINNT\system32\csrss.exe [180]
??\C:\WINNT\system32\winlogon.exe [200]
C:\WINNT\system32\services.exe [228]
C:\WINNT\system32\lsass.exe [240]
C:\WINNT\system32\svchost.exe [404]
C:\WINNT\system32\spoolsv.exe [432]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [460]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [500]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [520]
C:\WINNT\System32\svchost.exe [592]
C:\WINNT\system32\stisvc.exe [624]
C:\WINNT\System32\WBEM\WinMgmt.exe [652]
C:\WINNT\system32\cmd.exe [816]
C:\WINNT\loadqm.exe [1020]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [1060]
C:\Program Files\QuickTime\qttask.exe [1068]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [1072]
C:\WINNT\Explorer.exe [936]
C:\ComboFix\catchme.cfexe [980]
.
**************************************************************************
.
Completion time: 2008-08-25 19:39:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 02:39:01
Pre-Run: 3,734,953,984 bytes free
Post-Run: 3,713,572,864 bytes free
244
and here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:07 PM, on 8/25/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
--
End of file - 4890 bytes
Hello,
You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
Delete the files in RED, let me know which ones would not delete
C:\WINNT\System32\dxdmain.exe
C:\WINNT\mcsecure.exe
C:\WINNT\netinfo.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\system32\ooo.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\vsmom.exe
Please download SuperAntiSpyware Free (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Hi, so so far I have done the HJT system scan and fixed what you asked me to fix. But when I went to delete the files in red, I couldn't find any of the files. Do I skip that and go straight to using Super Antispyware?
Yes go ahead with SAS and post the log with a new HJT and lets see where we are at, we will look for those files in a bit
Here's the super antispyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/26/2008 at 05:07 PM
Application Version : 4.20.1046
Core Rules Database Version : 3548
Trace Rules Database Version: 1536
Scan type : Complete Scan
Total Scan Time : 01:11:05
Memory items scanned : 255
Memory threats detected : 0
Registry items scanned : 3671
Registry threats detected : 0
File items scanned : 9923
File threats detected : 150
Adware.Tracking Cookie
C:\Documents and Settings\Lee\Cookies\lee@yadro[2].txt
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
media.mtvnservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
media.mtvnservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adecn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adecn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adlegend.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adlegend.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.mediamayhemcorp.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.chitika.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cnetaustralia.122.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.estat.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.incentaclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.incentaclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.myroitracking.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.nhl.112.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.perf.overture.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revenue.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving.adsrevenue.clicksor.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.toplist.cz [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.usatoday1.112.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.valueclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.www.incentaclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.www.incentaclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.yamaha.122.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ads-dev.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
cms.trafficmp.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
counter.search.bg [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
futanariporno.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
rotator.adjuggler.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
rotator.adjuggler.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.usenext.de [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.usenext.de [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.xxx-animatrix.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
Rogue.AntiVirusProtection
C:\WINNT\SYSTEM32\FK.DLL
and here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:54 PM, on 8/26/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
--
End of file - 4887 bytes
Hi,
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINNT\SYSTEM32\FK.DLL
C:\WINNT\System32\dxdmain.exe
C:\WINNT\mcsecure.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\system32\ooo.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\vsmom.exe
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dxdmain]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\GencTurK RootKit]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcClient]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rpcmon]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCardClnt]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:11 PM, on 8/26/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
--
End of file - 4887 bytes
and here's the ComboFix log:
ComboFix 08-08-26.02 - Lee 08/26/2008 19:37:57.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.113 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINNT\mcsecure.exe
C:\WINNT\System32\dxdmain.exe
C:\WINNT\SYSTEM32\FK.DLL
C:\WINNT\system32\ooo.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\vsmom.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\#SharedObjects\PZ47KJSE\bin.clearspring.com
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\#SharedObjects\PZ47KJSE\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 21:40 . 08-08-26 00:15 276,982 ---h----- C:\WINNT\ShellIconCache
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-08-18 21:22 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.
((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_19.37.42.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 22:47:16 18,944 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-26 22:47:16 65,024 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]
C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Defragmentation Manager]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LSA Server]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sound Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S2 dxdmain;DirectX Graphics;C:\WINNT\System32\dxdmain.exe []
S3 GencTurK RootKit Driver;GencTurK RootKit Driver;C:\system.sys []
S3 msvnc;msvnc;C:\WINNT\system32\msvnc.sys []
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys [99-09-25 00:55 ]
S4 Defragmentation Manager;Managing FAT and NTFS partitions;C:\WINNT\System32\dfrgfat16.exe []
NETSVCS REQUIRES REPAIRS - current entries shown
EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Tapisrv
Ntmssvc
WmdmPmSN
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 19:47:51
Windows 5.0.2195 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [152]
??\C:\WINNT\system32\csrss.exe [180]
??\C:\WINNT\system32\winlogon.exe [176]
C:\WINNT\system32\services.exe [228]
C:\WINNT\system32\lsass.exe [240]
C:\WINNT\system32\svchost.exe [408]
C:\WINNT\system32\spoolsv.exe [432]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [488]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [516]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [544]
C:\WINNT\System32\svchost.exe [568]
C:\WINNT\system32\stisvc.exe [600]
C:\WINNT\System32\WBEM\WinMgmt.exe [736]
C:\WINNT\system32\cmd.exe [868]
C:\WINNT\loadqm.exe [1056]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [988]
C:\Program Files\QuickTime\qttask.exe [1008]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [976]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [968]
C:\WINNT\Explorer.exe [1172]
C:\ComboFix\catchme.cfexe [956]
.
**************************************************************************
.
Completion time: 2008-08-26 19:54:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 02:53:42
ComboFix2.txt 2008-08-26 02:39:11
Pre-Run: 3,655,127,040 bytes free
Post-Run: 3,651,584,000 bytes free
173
We have some stubborn entries that just don't want to go.
Download gmer.zip from here (http://www.majorgeeks.com/GMER_d5198.html) and save it to your Desktop.
You will need to unzip it before you run it.
To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish
Double click gmer.exe to begin:
If you get a message about "system modification", click Yes and work through the rest of the instructions.
Ensure that the Rootkit Tab at the top is selected.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click the Scan button on the right.
When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
Click the >>> Tab at the top and select the Autostart Tab.
Click the Scan button on the right - this one should only take seconds to complete.
Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately.
The Preview option may show the whole logs being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.
Just run GMER and lets see what it finds.
Here's the first gmer report:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-27 11:00:46
Windows 5.0.2195
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xBFC94C90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xBFC91B70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xBFCAA944]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xBFCA9760]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xBFCAC610]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xBFC92180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xBFCAB330]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xBFCAB100]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xBFCA9080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xBFCAB4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xBFC91FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xBFCA8E80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xBFCA8C40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xBFCAB7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xBFC94960]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xBFCABA50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xBFC94E40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xBFC922F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xBFCAAEA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xBFCA9BB0]
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BFC99700] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BFC99AD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BFC99C30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BFC99C30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BFC99AD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BFC99590] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BFC99700] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BFC99590] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BFC99C30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BFC99AD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SOFTWARE\Classes\CLSID\\ProgID@ 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E37DD93-98C7-1D8F-31A5-2F8600B5CD22}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E37DD93-98C7-1D8F-31A5-2F8600B5CD22}@bbmjmancapgclcglloefiohjhddonlcifibk 0x6B 0x61 0x63 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8DE961C-1C71-C374-682D-0E18CD5C58BF}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8DE961C-1C71-C374-682D-0E18CD5C58BF}@bbfcglbcipjmlbphkafjljhnjbjhdjpicfnm 0x6B 0x61 0x70 0x6B ...
---- EOF - GMER 1.0.14 ----
[B]and here's the autoscan results:
GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2008-08-27 11:02:02
Windows 5.0.2195
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AVGEMS@ = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
dxdmain@ = C:\WINNT\System32\dxdmain.exe /*file not found*/
mcsecure@ = "C:\WINNT\mcsecure.exe" /*file not found*/
RpcClient@ = C:\WINNT\System32\rpcclient.exe /*file not found*/
Rpcmon@ = C:\WINNT\system32\ooo.exe /*file not found*/
SCardClnt@ = C:\WINNT\System32\SCardClnt.exe /*file not found*/
StiSvc@ = %systemroot%\system32\stisvc.exe
vsmon@ = C:\WINNT\system32\ZoneLabs\vsmon.exe -service
WinMgmt@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
Zonelaps@ = "C:\WINNT\vsmom.exe" /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@LoadQMloadqm.exe = loadqm.exe
@Zone Labs ClientC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
@EPSON Stylus CX4200 SeriesC:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200" = C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@AVG7_CCC:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run@SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Thumbnails*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*HTML Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{4EFE464B-3D0B-4800-A5DE-2321283A3256} /*QCD IconHandler*/C:\Program Files\Quintessential Player\QCDIcons.dll = C:\Program Files\Quintessential Player\QCDIcons.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll /*file not found*/
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Pagec:\winnt\system32\blank.htm = c:\winnt\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Local PageC:\WINNT\SYSTEM32\blank.htm = C:\WINNT\SYSTEM32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
ms-its51@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
C:\Documents and Settings\Lee\Start Menu\Programs\Startup = PowerReg Scheduler V3.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup = Microsoft Office.lnk
---- EOF - GMER 1.0.14 ----
Hi,
It appears that there is no Rootkit installed. The bad entries we are trying to remove are missing the files so this should be easy to remove. Remove these with HJT in Safemode.
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Post a new log please
Hi,
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing) was not on the list. Every other file was removed.
Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:43 PM, on 8/27/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)
--
End of file - 4810 bytes
There still there.
This is what we have to do, drag your copy of Combofix to the trash, this program is updated on a regular basis and download a fresh copy.
Download Combofix from any of the links below, and save it to your desktop. <-- Important
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::
Driver::
dxdmain
mcsecure
netinfo
RpcClient
Rpcmon
SCardClnt
Zonelaps
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Here's the ComboFix report:
ComboFix 08-08-28.02 - Lee 08/28/2008 11:44:44.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.133 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINNT\system32\vsdatant.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DXDMAIN
-------\Legacy_MCSECURE
-------\Legacy_NETINFO
-------\Legacy_RPCCLIENT
-------\Legacy_RPCMON
-------\Legacy_SCARDCLNT
-------\Legacy_VSDATANT
-------\Legacy_ZONELAPS
-------\Service_dxdmain
-------\Service_mcsecure
-------\Service_netinfo
-------\Service_RpcClient
-------\Service_Rpcmon
-------\Service_SCardClnt
-------\Service_vsdatant
-------\Service_Zonelaps
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.
2008-08-27 23:22 . 08-08-27 23:22 553,188 ---h----- C:\WINNT\ShellIconCache
2008-08-27 10:46 . 08-08-27 10:46 250 --a------ C:\WINNT\gmer.ini
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 04:21 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-08-26 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.
((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_19.37.42.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 17:46:04 884,736 ----a-w C:\WINNT\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w C:\WINNT\gmer.exe
+ 2008-08-26 22:47:16 18,944 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-26 22:47:16 65,024 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-08-27 17:46:04 85,969 ----a-w C:\WINNT\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]
C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Defragmentation Manager]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LSA Server]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sound Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S3 GencTurK RootKit Driver;GencTurK RootKit Driver;C:\system.sys []
S3 msvnc;msvnc;C:\WINNT\system32\msvnc.sys []
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys [99-09-25 00:55 ]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 11:52:25
Windows 5.0.2195 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [144]
??\C:\WINNT\system32\csrss.exe [168]
??\C:\WINNT\system32\winlogon.exe [188]
C:\WINNT\system32\services.exe [216]
C:\WINNT\system32\lsass.exe [228]
C:\WINNT\system32\svchost.exe [388]
C:\WINNT\system32\spoolsv.exe [416]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [444]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [480]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [504]
C:\WINNT\System32\svchost.exe [564]
C:\WINNT\system32\stisvc.exe [596]
C:\WINNT\System32\WBEM\WinMgmt.exe [640]
C:\WINNT\system32\cmd.exe [944]
C:\WINNT\loadqm.exe [888]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [996]
C:\Program Files\QuickTime\qttask.exe [1032]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [1044]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [972]
C:\WINNT\System32\ZoneLabs\vsmon.exe [1100]
C:\WINNT\Explorer.exe [1160]
C:\ComboFix\catchme.cfexe [1108]
.
**************************************************************************
.
Completion time: 2008-08-28 11:57:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 18:57:00
ComboFix2.txt 2008-08-27 02:54:17
ComboFix3.txt 2008-08-26 02:39:11
Pre-Run: 3,500,548,096 bytes free
Post-Run: 3,494,285,312 bytes free
169
and here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:53 PM, on 8/28/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 4238 bytes
Also, ZoneAlarm says that the TrueVector security service is shut down and it has a message saying "System Error: Please Reboot". Even after i restarted the computer it still displays this message. Can you please tell me if i will have to reinstall ZoneAlarm? Thanks.
Fidos,
Where almost home, a few things we need to fix. Hang in a bit for the Zone Alarm issue, we may be able to fix that. Be back shortly
OK, this will tidy it up.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::
Driver::
msvnc
GencTurK RootKit Driver
Rootkit::
C:\WINNT\system32\msvnc.sys
C:\system.sys
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Lets make sure it took and then we can work on the ZoneAlarm issue
Here's the combo Fix report:
ComboFix 08-08-28.02 - Lee 08/28/2008 20:34:27.4 - NTFSx86
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSVNC
-------\Service_GencTurK RootKit Driver
-------\Service_msvnc
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-27 23:22 . 08-08-28 12:10 553,356 ---h----- C:\WINNT\ShellIconCache
2008-08-27 10:46 . 08-08-27 10:46 250 --a------ C:\WINNT\gmer.ini
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 04:21 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-08-26 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.
((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_19.37.42.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 17:46:04 884,736 ----a-w C:\WINNT\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w C:\WINNT\gmer.exe
+ 2008-08-26 22:47:16 18,944 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-26 22:47:16 65,024 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-08-27 17:46:04 85,969 ----a-w C:\WINNT\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]
C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Defragmentation Manager]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LSA Server]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sound Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys [99-09-25 00:55 ]
S4 Defragmentation Manager;Managing FAT and NTFS partitions;C:\WINNT\System32\dfrgfat16.exe []
S4 GencTurK RootKit;TurkSpy For RootKit;C:\system.exe []
S4 Keyboard Service;Keyboard Service System Files;C:\WINNT\System32\keyboard.exe []
S4 LSA Server;Local Security Authority Server;C:\WINNT\system32\msupdater.exe []
S4 Sound Service;Sound Sservice Driver ;C:\WINNT\System32\cfmon.exe []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 20:42:57
Windows 5.0.2195 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [144]
??\C:\WINNT\system32\csrss.exe [168]
??\C:\WINNT\system32\winlogon.exe [188]
C:\WINNT\system32\services.exe [216]
C:\WINNT\system32\lsass.exe [228]
C:\WINNT\system32\svchost.exe [392]
C:\WINNT\system32\spoolsv.exe [420]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [448]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [492]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [516]
C:\WINNT\System32\svchost.exe [576]
C:\WINNT\system32\stisvc.exe [608]
C:\WINNT\System32\WBEM\WinMgmt.exe [652]
C:\WINNT\system32\cmd.exe [268]
C:\WINNT\loadqm.exe [932]
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [792]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [944]
C:\Program Files\QuickTime\qttask.exe [1036]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [980]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [1048]
C:\WINNT\System32\ZoneLabs\vsmon.exe [1172]
C:\WINNT\Explorer.exe [952]
C:\ComboFix\catchme.cfexe [456]
.
**************************************************************************
.
Completion time: 2008-08-28 20:48:25 - machine was rebooted [Lee]
ComboFix-quarantined-files.txt 2008-08-29 03:47:47
ComboFix2.txt 2008-08-28 18:57:40
ComboFix3.txt 2008-08-27 02:54:17
ComboFix4.txt 2008-08-26 02:39:11
Pre-Run: 3,487,080,448 bytes free
Post-Run: 3,480,924,160 bytes free
159
And here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:20 PM, on 8/28/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\System32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 4237 bytes
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\system.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Here's the results:
File/Folder C:\system.exe not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08292008_111430
We're almost to the end but it appears as we remove items others show up.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::
Driver::
Defragmentation Manager
GencTurK RootKit
Keyboard Service
LSA Server
Sound Service
Rootkit::
C:\WINNT\System32\dfrgfat16.exe
C:\system.exe
C:\WINNT\System32\keyboard.exe
C:\WINNT\system32\msupdater.exe
C:\WINNT\System32\cfmon.exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Here's the ComboFix report:
ComboFix 08-08-28.02 - Lee 08/29/2008 12:23:16.5 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.160 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DEFRAGMENTATION_MANAGER
-------\Legacy_GENCTURK_ROOTKIT
-------\Legacy_KEYBOARD_SERVICE
-------\Legacy_LSA_SERVER
-------\Legacy_SOUND_SERVICE
-------\Service_Defragmentation Manager
-------\Service_GencTurK RootKit
-------\Service_Keyboard Service
-------\Service_LSA Server
-------\Service_Sound Service
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-29 11:14 . 08-08-29 11:14 <DIR> d-------- C:\_OTMoveIt
2008-08-27 23:22 . 08-08-28 12:10 553,356 ---h----- C:\WINNT\ShellIconCache
2008-08-27 10:46 . 08-08-27 10:46 250 --a------ C:\WINNT\gmer.ini
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 04:21 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-08-26 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.
((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_19.37.42.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 17:46:04 884,736 ----a-w C:\WINNT\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w C:\WINNT\gmer.exe
+ 2008-08-26 22:47:16 18,944 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-26 22:47:16 65,024 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-08-27 17:46:04 85,969 ----a-w C:\WINNT\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]
C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 12:33:03
Windows 5.0.2195 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [148]
??\C:\WINNT\system32\csrss.exe [168]
??\C:\WINNT\system32\winlogon.exe [160]
C:\WINNT\system32\services.exe [216]
C:\WINNT\system32\lsass.exe [228]
C:\WINNT\system32\svchost.exe [396]
C:\WINNT\system32\spoolsv.exe [420]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [456]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [500]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [532]
C:\WINNT\System32\svchost.exe [560]
C:\WINNT\system32\stisvc.exe [592]
C:\WINNT\System32\WBEM\WinMgmt.exe [636]
C:\WINNT\system32\cmd.exe [932]
C:\WINNT\loadqm.exe [1016]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [1036]
C:\Program Files\QuickTime\qttask.exe [992]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [1052]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [1068]
C:\WINNT\System32\ZoneLabs\vsmon.exe [984]
C:\WINNT\Explorer.exe [1008]
C:\ComboFix\catchme.cfexe [976]
.
**************************************************************************
.
Completion time: 2008-08-29 12:39:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 19:38:41
ComboFix2.txt 2008-08-29 03:48:29
ComboFix3.txt 2008-08-28 18:57:40
ComboFix4.txt 2008-08-27 02:54:17
ComboFix5.txt 2008-08-29 19:22:24
Pre-Run: 3,490,766,848 bytes free
Post-Run: 3,484,639,232 bytes free
154
And here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:06 PM, on 8/29/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\System32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 4238 bytes
Looking good :bigthumb::bigthumb:
Lets work on the ZoneAlarm issue, not sure if the file is corrupt or infected.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard and Paste it into Notepad
@echo off
for %%g in (
C:\Qoobox\Quarantine\C\WINNT\system32\vsdatant.sys.vir
) do zip Files_for_submission %%g
del %0
Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: http://www.techsupportforum.com/sectools/tetonbob/bat_icon.gif
Double click on grab.bat & allow it to run
A file, Files_for_submission.zip will be created on your desktop. Please upload that file here:
http://www.bleepingcomputer.com/subm....php?channel=4
In the Link to topic where this file was requested: area, copy and paste this :
http://forums.spybot.info/showthread.php?t=33062&page=3
Once it shows:
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close the site and let me know.
I went to the site but one the page it said:
404 ERROR: Page Not Found!
The requested page http://www.bleepingcomputer.com/subm....php could not be found on this server.
is there another site i could do this on? If there is can you send me the link? Thanks.
Try this, sometimes a URL gets borked in the process
http://www.bleepingcomputer.com/submit-malware.php?channel=4
OK, this site works and I submitted the file. Thank you for the help.
Great, so just hang in until we hear back from sUbs. After all our hard work your system is finally clean :bigthumb:
K, thanks for the help.:)
HI, I have a question about the programs I downloaded to clean my computer. Can you tell me which ones are OK for scanning regularly and which ones I shouldn't bee using? Thanks.
Fidos,
Don't delete or remove any of the programs we have run just yet, we will go over them when we're done and I will tell you what to remove and what to keep.
The file we submitted was the wrong one and its not needed now anyway, we need to work on fixing Zone Alarm for you.
C:\Qoobox\ComboFix-quarantined-files.txt <---This file will open in Notepad, post it please
Hi, do I post the contents of the file in a reply on this thread or do I submit it to the other site?
Anyways, if you do mean post it on this site, here it is:
2003-05-14 17:07:16 389,120 C:\Qoobox\Quarantine\C\WINNT\system32\actskn43.ocx.vir
2005-01-04 01:49:09 5,296 C:\Qoobox\Quarantine\C\WINNT\Web\default.htt.vir
2005-07-13 05:15:02 24 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Settings\s_pid.dat.vir
2005-07-13 05:27:26 1,024 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\History\search.vir
2005-11-15 08:50:34 372,816 C:\Qoobox\Quarantine\C\WINNT\system32\vsdatant.sys.vir
2007-03-07 17:37:54 264,376 C:\Qoobox\Quarantine\C\WINNT\system32\Launcher.exe.vir
2007-11-19 06:05:44 769 C:\Qoobox\Quarantine\C\Documents and Settings\Lee\Application Data\Macromedia\Flash Player\#SharedObjects\PZ47KJSE\bin.clearspring.com\clearspring.sol.vir
2008-06-20 19:09:55 139 C:\Qoobox\Quarantine\C\Documents and Settings\Lee\Application Data\Macromedia\Flash Player\#SharedObjects\PZ47KJSE\interclick.com\ud.sol.vir
2008-08-20 05:05:37 118,784 C:\Qoobox\Quarantine\C\WINNT\system32\3.tmp.vir
2008-08-20 22:08:17 118,784 C:\Qoobox\Quarantine\C\WINNT\system32\8.tmp.vir
2008-08-21 20:53:53 118,784 C:\Qoobox\Quarantine\C\WINNT\system32\4.tmp.vir
2008-08-22 18:15:45 118,784 C:\Qoobox\Quarantine\C\WINNT\system32\5.tmp.vir
2008-08-26 02:30:02 2,896 C:\Qoobox\Quarantine\Registry_backups\Service_MAPI.reg.dat
2008-08-26 02:30:02 798 C:\Qoobox\Quarantine\Registry_backups\Legacy_MAPI.reg.dat
2008-08-26 02:30:02 844 C:\Qoobox\Quarantine\Registry_backups\Legacy_RDRIV.reg.dat
2008-08-26 02:37:44 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-08-26 02:37:44 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-08-26 02:37:44 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-08-26 02:37:46 307 C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{AE75F0AA-0C09-3646-8A7B-28B24300F4B3}.reg.dat
2008-08-26 02:37:47 302 C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{C911510E-E118-7A41-1C46-3B7495D7F222}.reg.dat
2008-08-26 02:37:54 141 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat
2008-08-26 02:37:54 153 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Spyware Vanisher.reg.dat
2008-08-26 02:37:54 194 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Micr Update.reg.dat
2008-08-26 02:37:55 100 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-lpt.reg.dat
2008-08-26 02:37:55 101 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-teqq32.reg.dat
2008-08-26 02:37:55 103 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-porka_.reg.dat
2008-08-26 02:37:55 104 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-MONITER.reg.dat
2008-08-26 02:37:55 108 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BoundRec.reg.dat
2008-08-26 02:37:55 122 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-M_S DVD DirectX Dll Drivers.reg.dat
2008-08-26 02:37:55 153 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Windows Logon Service.reg.dat
2008-08-26 02:37:55 153 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Windows SRM32 Pass.reg.dat
2008-08-26 02:37:55 160 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Microsoft MCT64 Center.reg.dat
2008-08-26 02:37:55 160 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Microsoft MicroP Protocol.reg.dat
2008-08-26 02:37:56 130 C:\Qoobox\Quarantine\Registry_backups\HKCU-RunServices-M_S DVD DirectX Dll Drivers.reg.dat
2008-08-26 02:37:56 132 C:\Qoobox\Quarantine\Registry_backups\HKCU-RunServices-MS Windows Security Updater.reg.dat
2008-08-26 02:37:56 168 C:\Qoobox\Quarantine\Registry_backups\HKCU-RunServices-Windows Logon Service.reg.dat
2008-08-26 02:37:56 168 C:\Qoobox\Quarantine\Registry_backups\HKCU-RunServices-Windows Update Service.reg.dat
2008-08-26 02:37:57 103 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-progmen.reg.dat
2008-08-26 02:37:57 106 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-wormexe.reg.dat
2008-08-26 02:37:57 107 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Dest068.reg.dat
2008-08-26 02:37:57 110 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-startman.reg.dat
2008-08-26 02:37:57 118 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Microsoft MCT64 Center.reg.dat
2008-08-26 02:37:57 121 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Windows Update Service.reg.dat
2008-08-26 02:37:57 123 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-M_S DVD DirectX Dll Drivers.reg.dat
2008-08-26 02:37:57 125 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-MS Windows Security Updater.reg.dat
2008-08-26 02:37:57 127 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Sygate Personal Firewall Start.reg.dat
2008-08-26 02:37:57 132 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Netbios Helper.reg.dat
2008-08-26 02:37:57 150 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SMrhc17dj0et2g.reg.dat
2008-08-26 02:37:57 152 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Micr Update.reg.dat
2008-08-26 02:37:58 122 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-FireWire Service.reg.dat
2008-08-26 02:37:58 131 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-M_S DVD DirectX Dll Drivers.reg.dat
2008-08-26 02:37:58 133 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-MS Windows Security Updater.reg.dat
2008-08-26 02:37:58 135 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-Sygate Personal Firewall Start.reg.dat
2008-08-26 02:37:58 163 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-Windows SRM32 Pass.reg.dat
2008-08-26 02:37:58 163 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-Windows Update Service.reg.dat
2008-08-26 02:37:58 169 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-Microsoft MCT64 Center.reg.dat
2008-08-26 02:37:58 169 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-Microsoft MicroP Protocol.reg.dat
2008-08-26 02:37:58 203 C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServices-Micr Update.reg.dat
2008-08-26 02:37:59 119 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Microsoft MCT64 Center.reg.dat
2008-08-26 02:37:59 124 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-M_S DVD DirectX Dll Drivers.reg.dat
2008-08-26 02:37:59 128 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Sygate Personal Firewall Start.reg.dat
2008-08-26 02:37:59 153 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Micr Update.reg.dat
2008-08-26 02:37:59 162 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Windows Login Security.reg.dat
2008-08-26 02:37:59 162 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Windows Logon Service.reg.dat
2008-08-26 02:38:00 132 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-RunServices-M_S DVD DirectX Dll Drivers.reg.dat
2008-08-26 02:38:00 211 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-RunServices-Windows Login Security.reg.dat
2008-08-26 02:38:00 211 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-RunServices-Windows Logon Service.reg.dat
2008-08-26 02:38:00 211 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-RunServices-Windows Update Service.reg.dat
2008-08-28 18:47:47 804 C:\Qoobox\Quarantine\Registry_backups\Legacy_MCSECURE.reg.dat
2008-08-28 18:47:47 816 C:\Qoobox\Quarantine\Registry_backups\Legacy_DXDMAIN.reg.dat
2008-08-28 18:47:48 1,168 C:\Qoobox\Quarantine\Registry_backups\Legacy_VSDATANT.reg.dat
2008-08-28 18:47:48 2,780 C:\Qoobox\Quarantine\Registry_backups\Service_netinfo.reg.dat
2008-08-28 18:47:48 2,814 C:\Qoobox\Quarantine\Registry_backups\Service_mcsecure.reg.dat
2008-08-28 18:47:48 2,986 C:\Qoobox\Quarantine\Registry_backups\Service_dxdmain.reg.dat
2008-08-28 18:47:48 798 C:\Qoobox\Quarantine\Registry_backups\Legacy_NETINFO.reg.dat
2008-08-28 18:47:48 814 C:\Qoobox\Quarantine\Registry_backups\Legacy_ZONELAPS.reg.dat
2008-08-28 18:47:48 830 C:\Qoobox\Quarantine\Registry_backups\Legacy_SCARDCLNT.reg.dat
2008-08-28 18:47:48 854 C:\Qoobox\Quarantine\Registry_backups\Legacy_RPCMON.reg.dat
2008-08-28 18:47:48 864 C:\Qoobox\Quarantine\Registry_backups\Legacy_RPCCLIENT.reg.dat
2008-08-28 18:47:49 2,438 C:\Qoobox\Quarantine\Registry_backups\Service_vsdatant.reg.dat
2008-08-28 18:47:49 2,938 C:\Qoobox\Quarantine\Registry_backups\Service_Rpcmon.reg.dat
2008-08-28 18:47:49 2,980 C:\Qoobox\Quarantine\Registry_backups\Service_RpcClient.reg.dat
2008-08-28 18:47:49 3,054 C:\Qoobox\Quarantine\Registry_backups\Service_SCardClnt.reg.dat
2008-08-28 18:47:50 2,752 C:\Qoobox\Quarantine\Registry_backups\Service_Zonelaps.reg.dat
2008-08-28 18:48:05 168,862 C:\Qoobox\Quarantine\C\WINNT\system32\vsdatant.sys.zip
2008-08-29 03:37:43 1,082 C:\Qoobox\Quarantine\Registry_backups\Legacy_MSVNC.reg.dat
2008-08-29 03:37:43 2,512 C:\Qoobox\Quarantine\Registry_backups\Service_msvnc.reg.dat
2008-08-29 03:37:43 660 C:\Qoobox\Quarantine\Registry_backups\Service_GencTurK RootKit Driver.reg.dat
2008-08-29 19:27:12 9,611 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-08-29 19:27:31 876 C:\Qoobox\Quarantine\Registry_backups\Legacy_GENCTURK_ROOTKIT.reg.dat
2008-08-29 19:27:31 944 C:\Qoobox\Quarantine\Registry_backups\Legacy_DEFRAGMENTATION_MANAGER.reg.dat
2008-08-29 19:27:32 2,544 C:\Qoobox\Quarantine\Registry_backups\Service_GencTurK RootKit.reg.dat
2008-08-29 19:27:32 3,010 C:\Qoobox\Quarantine\Registry_backups\Service_Keyboard Service.reg.dat
2008-08-29 19:27:32 3,240 C:\Qoobox\Quarantine\Registry_backups\Service_Defragmentation Manager.reg.dat
2008-08-29 19:27:32 864 C:\Qoobox\Quarantine\Registry_backups\Legacy_LSA_SERVER.reg.dat
2008-08-29 19:27:32 864 C:\Qoobox\Quarantine\Registry_backups\Legacy_SOUND_SERVICE.reg.dat
2008-08-29 19:27:32 896 C:\Qoobox\Quarantine\Registry_backups\Legacy_KEYBOARD_SERVICE.reg.dat
2008-08-29 19:27:33 2,932 C:\Qoobox\Quarantine\Registry_backups\Service_Sound Service.reg.dat
2008-08-29 19:27:33 3,036 C:\Qoobox\Quarantine\Registry_backups\Service_LSA Server.reg.dat
2008-08-29 19:28:05 1,622 C:\Qoobox\Quarantine\catchme.log
Thats fine but I don't see the file I am looking for, be back in a bit. Hang in, we're almost done and your system looks fine
Lets do this
Go Start > Run and copy/paste the following single-line command into the Run box and click OK:
cmd /c Vfind -ltf "%systemdrive%\vsdatant.*" >Log.txt&Log.txt&del Log.txt
A Notepad file will open. Post the contents of Log.txt in your next reply.
Here's the contents of the log.txt:
----a-w 372,816 2005-11-15 08:50:34 C:\QooBox\Quarantine\C\WINNT\system32\vsdatant.sys.vir
----a-w 168,862 2008-08-28 18:48:05 C:\QooBox\Quarantine\C\WINNT\system32\vsdatant.sys.zip
Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 541,678 Blocks: 1,059
C:\QooBox\Quarantine\catchme_Date@Time.zip <---Is this present on your system??
No, I can't find this file on my computer.
OK,
Go here and copy and paste this file to your desktop
C:\QooBox\Quarantine\C\WINNT\system32\vsdatant.sys.zip
Then right click on it and rename it, all you have to do is remove .zip
So it should look like this
C:\QooBox\Quarantine\C\WINNT\system32\vsdatant.sys
Then right click and copy it and paste it here
C\WINNT\system32
Let me know if it was successful and if so then we can restore the registry entry and ZoneAlarm may work.
Ok, the file was successfully put into the folder.:)
Moving right along.
Go to Start > Run >
Copy and Paste this in to the run box
Regedit "C:\Qoobox\Quarantine\Registry_backups\Service_vsdatant.reg.dat"
Click yes at the prompt to merge into the registry.
Reboot and try ZA and see if its running ok now
Hi, I did what you told me to do and when I restarted the computer I hit a blue screen that said:
STOP:c000026c {Unable To Load Device Driver}
\SystemRoot\System32\vsdatant.sys device driver could not be loaded
Error status was 0xc000012f:sad:
So I restarted the computer again and I still got the same screen, and then I got the computer to restart normally by going into safemode and cutting the vsdatant.sys file from C:\WINNT\system32 to my desktop.
So what do I do next?
Morning Fidos,
This has been a bit tricky to say the least, but we still need that file for ZA to work , we may just have done it wrong, My bad on this one, its still a zip file and removing the extension did not change it.
Make sure this file is still on your desktop and rename it back by adding the .zip so now it should be this
C:\QooBox\Quarantine\C\WINNT\system32\vsdatant.sys.zip
Then doubleclick it and unzip it to system32
Ken
OK, so now I unzipped it into C:\WINNT\system32. Do I restart the computer again and see if it worked?
Yep, this should work now
It didn't work. ZoneAlarm still has that error message when I open it.
Fidos,
You had some nasty infections on this system and with Zone Alarm not running is really the least of the issues. We tried to fix this without you having to reinstall it but it looks like this will be something your going to have to do.
Just uninstall ZA from your Add Remove Programs and download a new copy and install it. I would delete that file as it may be corrupted and may not uninstall when you uninstall ZA
Ken
Ok, I reinstalled ZoneAlarm and everything seems to be working fine now. Thanks for helping me.:)
I just have one more question. Which programs that I downloaded shouldn't be used for scanning my computer?
Fidos, thats great :bigthumb:
GMER <---Drag it to the trash
Fixwareout <---Drag it to the trash
SDfix <--- Drag it to the trash
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
SuperAntiSpyware <---Yours to keep also but if you keep Malwarebytes then remove this one, you just need one
Hijackthis <---Your call, hopefully you won't need it again, if you do you can redownload it
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Hi, thanks for telling me this. You did not list OTMoveIt2. Should I deleted that one too?
Yep, forgot all about that one.
Take Care,
Ken
OK, now that that's taken care of I want to know what you want me the do about the system restore.
[list]
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Well I can't find the system restore button, but I found a button called backup. (I think that may the the button for system restore on windows 2000.) I don't think there's any restore points on the computer, so I don't have to delete old restore points if that is what you wanted me to do. I think I need to manually create a restore point. Did you want me to create a restore point in case anything happened?
May you please let me know? Thanks. :laugh:
My bad on that one, we seldom get posters with Win 2000 , there is no System Restore on 2000 so don't worry about it.
Ken
Ok, thanks so much for helping me. I wish you the best in the future. :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.