View Full Version : SmitFraud and Zeno...and others every now and then
lmarello
2008-09-25, 19:17
Hello,
I have been trying to get SmitFraud and Zeno off of my computer for quite some time. Spybot detects them...removes them and they return on the very next search (like minutes later). I have followed the "BEFORE YOU POST" instructions and have included my HiJackThis log below...I need some help figuring this out...
Thank you for your help!
-------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:52: PM, on 9/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
c:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\LANDesk\LDClient\ldiscn32.exe
C:\Program Files\LANDesk\LDClient\vulscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\mcntntdm.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
c:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.think-adz.com/www/delivery/afr2.php?zoneid=8&domain=na:&cb=26503&clid=40
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Webtools\webtools.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89AD69EF-A3CD-4A2F-9D65-7D04247B72E3} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: gooochi browser enhancer - {f745ab38-346f-1b02-d04b-251b14b5c5b9} - C:\WINDOWS\system32\wbxzikuztfamj.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "c:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mcntntdm.exe DWram02
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] \\global.ds.honeywell.com\SysVol\global.ds.honeywell.com\Policies\{2037079B-D0B4-4E4C-84AE-EC8F4A576F8D}\Machine\Scripts\GTS-GPOAdminSecWeb2.0.1.vbe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105558117276
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.honeywell.com/pki/VSApps/vspta3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\Software\..\Telephony: DomainName = global.ds.honeywell.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: ence55 - Unknown owner - C:\WINDOWS\system32\ence55.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - c:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 8600 bytes
pskelley
2008-09-26, 17:26
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
You do have multiple infections including this junk, this is going to take some time: http://www.threatexpert.com/files/uoyzsydz.exe.html
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post only the C:\rapport.txt
Thanks
lmarello
2008-09-29, 21:25
Thank you! Here is rapport.txt data.
SmitFraudFix v2.352
Scan done at 14:21:52.39, Mon 09/29/2008
Run from D:\Documents and Settings\e184180\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
c:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LANDesk\LDClient\vulscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\mcntntdm.exe
c:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
D:\Documents and Settings\e184180\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» D:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\e184180
»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\e184180\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\e184180\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\uoyzsydz.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 129.30.34.22
DNS Server Search Order: 129.30.34.24
DNS Server Search Order: 131.127.251.6
DNS Server Search Order: 131.127.251.201
DNS Server Search Order: 131.127.251.202
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D768449F-6161-4677-ADEC-2B20A61CE1A6}: DhcpNameServer=129.30.34.22 129.30.34.24 131.127.251.6 131.127.251.201 131.127.251.202
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D768449F-6161-4677-ADEC-2B20A61CE1A6}: DhcpNameServer=129.30.34.22 129.30.34.24 131.127.251.6 131.127.251.201 131.127.251.202
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D768449F-6161-4677-ADEC-2B20A61CE1A6}: DhcpNameServer=129.30.34.22 129.30.34.24 131.127.251.6 131.127.251.201 131.127.251.202
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=129.30.34.22 129.30.34.24 131.127.251.6 131.127.251.201 131.127.251.202
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=129.30.34.22 129.30.34.24 131.127.251.6 131.127.251.201 131.127.251.202
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=129.30.34.22 129.30.34.24 131.127.251.6 131.127.251.201 131.127.251.202
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2008-09-29, 21:34
Thanks for returning your information, Smitfraudfix found the infection and it also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
After we clean, in the next C:\rapport.txt, there may be a very large hosts file (items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from the C:\rapport.txt before you post it.
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infected files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt and a new HJT log.
Thanks...Phil
lmarello
2008-09-30, 19:24
Here are the files you asked for!
Thank you!!!!
Rapport:
SmitFraudFix v2.352
Scan done at 12:12:13.53, Tue 09/30/2008
Run from D:\Documents and Settings\e184180\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D768449F-6161-4677-ADEC-2B20A61CE1A6}: DhcpNameServer=129.30.34.22 129.30.34.24 131.127.251.6 131.127.251.201 131.127.251.202
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=129.30.34.22 129.30.34.24 131.127.251.6 131.127.251.201 131.127.251.202
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:02, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.think-adz.com/www/delivery/afr2.php?zoneid=8&domain=na:&cb=26503&clid=40
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Webtools\webtools.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89AD69EF-A3CD-4A2F-9D65-7D04247B72E3} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: gooochi browser enhancer - {f745ab38-346f-1b02-d04b-251b14b5c5b9} - C:\WINDOWS\system32\wbxzikuztfamj.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "c:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mcntntdm.exe DWram02
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\RunOnce: [DLL0] regsvr32 -s c:\visual\vmfgini\VDtaMgr.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] \\global.ds.honeywell.com\SYSVOL\global.ds.honeywell.com\Policies\{2037079B-D0B4-4E4C-84AE-EC8F4A576F8D}\Machine\Scripts\GTS-GPOAdminSecWeb2.0.1.vbe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntntdm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105558117276
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.honeywell.com/pki/VSApps/vspta3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\Software\..\Telephony: DomainName = global.ds.honeywell.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: ence55 - Unknown owner - C:\WINDOWS\system32\ence55.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - c:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7180 bytes
pskelley
2008-09-30, 20:18
Boot mode: Safe mode with network support
I need the HJT logs posted in Normal Mode.
I'll post the next step to say us both some time.
You may delete Smitfraudfix from the computer, we are finished with it.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
lmarello
2008-10-01, 02:23
Sorry about the hijackthis file...I was on a roll!
Okay, here is the Combofix and CORRECT hijackthis logs:
Combofix:
ComboFix 08-09-30.02 - E184180 2008-09-30 18:42:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1582 [GMT -4:00]
Running from: D:\Documents and Settings\e184180\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\AntispyStorm
C:\Program Files\AntispyStorm\AntispyStorm.exe.MANIFEST
C:\Program Files\AntispyStorm\as_ie_monitor.dll
C:\Program Files\AntispyStorm\logs\07.9.08_19_21_07.log
C:\Program Files\AntispyStorm\mdReg.dll
C:\Program Files\AntispyStorm\stat.bin
C:\Program Files\AntispyStorm\uninstall.exe
C:\Program Files\AntispyStorm\uninstall.log
C:\Program Files\AntiSpywareMaster
C:\Program Files\AntiSpywareMaster\Dat\Activate.dat
C:\Program Files\AntiSpywareMaster\Dat\bnlink.dat
C:\Program Files\AntiSpywareMaster\Dat\pv.dat
C:\Program Files\AntiSpywareMaster\Graphics\kb.url
C:\Program Files\AntiSpywareMaster\Graphics\Online.url
C:\Program Files\AntiSpywareMaster\Graphics\rm.url
C:\Program Files\AntiSpywareMaster\Graphics\Support.url
C:\Program Files\AntiSpywareMaster\LA\lapv.dat
C:\Program Files\AntiSpywareMaster\settings.ini
C:\Program Files\AntiSpywareMaster\Up\ASupdater.dat
C:\Program Files\AntiSpywareMaster\Up\PGupdater.dat
C:\Program Files\AntiSpywareMaster\Up\UBupdater.dat
C:\Program Files\AntiSpywareMaster\Up\up.dat
C:\Program Files\AntiSpywareMaster\Up\updater.dat
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\asks~1\?asks\
C:\Program Files\GetModule
C:\Program Files\GetModule\avatupdate.exe
C:\Program Files\GetModule\dicik.gz
C:\Program Files\GetModule\GetModule20.exe
C:\Program Files\GetModule\GetModule21.exe
C:\Program Files\GetModule\kwdik.gz
C:\Program Files\GetModule\pckik.dat
C:\Program Files\GetModule\zolnupdate.exe
C:\Program Files\mjc
C:\Program Files\Temporary
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\index.html
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mSWSC10.dll
C:\WINDOWS\mSWSC20.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\system32\4798\23272.dll
C:\WINDOWS\system32\blphct7aj0er75.scr
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\mcntntdm.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\system32\zxdnt3d.cfg
D:\Autorun.inf
D:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster
D:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\1st File Hider v3.22.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\1st File Hider v3.22.zip
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Advanced Office XP Password Recovery Professional v2.0.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Advanced Skeleton v1.2 for Maya X.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Alawar Farm Frenzy by JonezCracker.zip~
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\alive.video.converter.1.6.8.0.serial-tsrh.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Call.Of.Duty.2 CHEAT-FFF.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\CloneCD.V4.0.0.0.Build14.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\DIGITAL MEDIA CONVERTER.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Eset NOD32 Antivirus v2.000.6.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Eset NOD32 Antivirus v2.000.6.zip
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Iolo Technologies System Mechanic 3.7i by TSRh.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Iolo Technologies System Mechanic 3.7i by TSRh.zip
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Norton Internet Security 2008 patch.zip~
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\PowerDVD v7.0 MULTILANGUAGE crack TFT.zip~
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Ringtone.Media.Studio.2.10 CRK-FFF.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Ringtone.Media.Studio.2.10 CRK-FFF.zip
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\s
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Sound Pilot v1.3 Build 19 loader by TSRh.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\Sound Pilot v1.3 Build 19 loader by TSRh.zip
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\WinZip.Pro.v11.0.Beta KEYGEN-FFF.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\WinZip.Pro.v11.0.Beta KEYGEN-FFF.zip
D:\Documents and Settings\e184081\Application Data\shcr7aj0er75
D:\Documents and Settings\e184081\Cookies\e184081@h.blackplanet[2].txt
D:\Documents and Settings\e184081\Cookies\e184081@spamblockerutility[2].txt
D:\Documents and Settings\e184081\Cookies\e184081@spamblockerutility[3].txt
D:\Documents and Settings\e184081\Desktop\AntiSpywareMaster.lnk
D:\Documents and Settings\e184081\Local Settings\Temporary Internet Files\bestwiner.stt
D:\Documents and Settings\e184180\Start Menu\Programs\Startup\Deewoo.lnk
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.
2008-09-30 18:50 . 2008-09-30 18:50 <DIR> d-------- C:\Temp\WER3e52.dir00
2008-09-30 18:49 . 2008-09-30 18:49 <DIR> d-------- C:\Temp\WPDNSE
2008-09-30 18:49 . 2008-09-30 18:49 53,248 --a------ C:\Temp\catchme.dll
2008-09-29 17:52 . 2008-09-29 18:38 <DIR> d-------- C:\Temp\eLiveBrowser0.tmp
2008-09-29 17:52 . 2008-09-30 18:49 <DIR> d-------- C:\Temp\eLiveAS0.tmp
2008-09-29 16:29 . 2008-09-29 16:29 7,261 --a------ C:\WINDOWS\KRON122.INI
2008-09-29 16:20 . 2008-09-29 16:20 <DIR> d-------- C:\ETIME
2008-09-29 16:15 . 2008-09-29 16:16 <DIR> d-------- C:\visual
2008-09-29 16:15 . 2008-09-30 18:49 <DIR> d-------- C:\Temp\_ISTMP0.DIR
2008-09-29 15:44 . 2008-09-29 15:44 <DIR> d-------- C:\Temp\OraInstall2008-09-29_03-44-02PM
2008-09-29 15:44 . 2008-09-29 15:51 <DIR> d-------- C:\Program Files\Oracle
2008-09-29 15:44 . 2008-09-29 15:44 <DIR> d-------- C:\oracle
2008-09-29 15:43 . 2008-09-30 18:49 <DIR> d-------- C:\Temp\OraInstall2008-09-29_03-43-29PM
2008-09-25 10:29 . 2008-09-25 10:29 <DIR> d-------- D:\Documents and Settings\e184180\Application Data\Xerox
2008-09-24 14:03 . 2008-09-24 14:03 <DIR> d-------- D:\Documents and Settings\e184180\Application Data\Windows Search
2008-09-24 12:00 . 2008-09-24 12:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-24 12:00 . 2008-09-24 12:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 14:07 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-23 13:18 . 2008-09-23 13:18 <DIR> d-------- D:\Documents and Settings\e184180\Application Data\Windows Desktop Search
2008-09-23 13:17 . 2008-09-23 13:17 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-23 13:16 . 2008-09-23 13:16 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-23 13:16 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-23 13:16 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-23 13:16 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-23 13:14 . 2008-09-24 15:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-23 13:14 . 2008-09-23 13:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-23 13:12 . 2008-09-23 14:16 <DIR> d-------- C:\Temp\DellWUDriverInstall
2008-09-23 13:07 . 2008-09-23 13:07 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-09-23 12:17 . 2008-09-23 12:17 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-23 12:17 . 2008-09-23 12:17 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-23 12:17 . 2008-09-23 12:17 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-22 21:55 . 2008-09-22 21:55 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-09-22 17:59 . 2008-09-22 18:00 <DIR> d-------- D:\Documents and Settings\e184180\Application Data\Elluminate
2008-09-22 17:59 . 2008-09-29 18:38 <DIR> d-------- C:\Temp\hsperfdata_E184180
2008-09-18 13:05 . 2008-09-18 13:05 <DIR> d-------- C:\Program Files\CCleaner
2008-09-18 13:00 . 2008-09-18 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-18 09:30 . 2008-09-23 14:16 <DIR> d-------- C:\Temp\is-1487N.tmp
2008-09-18 09:18 . 2008-09-18 09:19 11,264 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-09-18 09:12 . 2008-09-18 09:12 <DIR> d-------- D:\Documents and Settings\e184081\Application Data\Malwarebytes
2008-09-18 09:12 . 2008-09-18 09:12 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 09:09 . 2008-09-30 12:12 2,912 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-17 19:17 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-09-17 19:07 . 2008-09-18 11:23 <DIR> d-------- C:\Program Files\Panda Security
2008-09-17 16:37 . 2008-09-17 16:37 <DIR> d-------- C:\smartkiller
2008-09-17 16:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-09-17 16:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-09-17 16:34 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-17 16:34 . 2008-09-02 16:51 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-09-17 16:34 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-09-17 16:34 . 2008-09-15 18:51 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-09-17 16:34 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-09-17 16:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-09-17 16:34 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-09-17 16:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-09-17 14:06 . 2005-01-14 16:17 <DIR> d-------- D:\Documents and Settings\e184180\WINDOWS
2008-09-17 14:06 . 2005-01-12 15:28 <DIR> d---s---- D:\Documents and Settings\e184180\UserData
2008-09-17 14:06 . 2005-01-14 12:34 <DIR> d-------- D:\Documents and Settings\e184180\Application Data\AdobeUM
2008-09-17 14:06 . 2008-09-18 12:45 <DIR> d-------- D:\Documents and Settings\e184180
2008-09-17 14:00 . 2008-09-25 11:18 5,636 --a------ C:\WINDOWS\wininit.ini
2008-09-17 13:28 . 2008-09-18 09:08 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 13:28 . 2008-09-17 13:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-05 23:30 . 2008-09-05 23:30 1,480,232 --------- C:\WINDOWS\system32\SETCB.tmp
2008-09-05 23:30 . 2008-09-05 23:30 241,704 --------- C:\WINDOWS\system32\SETCC.tmp
2008-08-30 19:16 . 2008-08-30 19:16 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-08-30 18:48 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 06:48 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 22:48 --------- d-----w D:\Documents and Settings\All Users\Application Data\vulScan
2008-09-24 17:47 --------- d-----w C:\Program Files\LANDesk
2008-09-18 15:22 --------- d-----w C:\Program Files\Google
2008-09-18 13:59 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 1392640]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 176128]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"McAfeeUpdaterUI"="c:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2007-11-29 262144]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 C:\WINDOWS\stsystra.exe]
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 300 (0x12c)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-302741328-755652760-1230779191-27701\Scripts\Logon\0\0]
"Script"=\\namerica4.ds.honeywell.com\NETLOGON\LANDesk.bat
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"= C:\\WINDOWS\\system32\\CBA\\pds.exe
"C:\\WINDOWS\\system32\\msgsys.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"%windir%\\system32\\msgsys.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk(R) PXE TCP Port
"67:UDP"= 67:UDP:LANDesk(R) PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk(R) Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk(R) Remote Control Agent UDP Port
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2005-05-17 204800]
R1 ence55_;ence55_;C:\WINDOWS\system32\ence55_.sys [2008-05-22 31744]
R2 CBA8;LANDesk(R) Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 122880]
R2 ence55;ence55;C:\WINDOWS\system32\ence55.exe [2008-05-22 491520]
R2 Softmon;LANDesk(R) Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-11-15 266240]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2003-08-19 9433]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-08-01 11904]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-08-03 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-08-03 3712]
S0 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys [2004-09-09 227285]
S1 rawwann;rawwann;C:\WINDOWS\system32\drivers\rawwann.sys [ ]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680]
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;c:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 242328]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-06-19 36676]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-06-19 24344]
S4 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2005-02-17 218112]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 48140]
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys [2003-02-24 11029]
.
- - - - ORPHANS REMOVED - - - -
BHO-{f745ab38-346f-1b02-d04b-251b14b5c5b9} - C:\WINDOWS\system32\wbxzikuztfamj.dll
HKCU-Run-LAUNCHXI - (no file)
MSConfigStartUp-Microsoft Windows Installer - D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\5326.exe
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://ads.think-adz.com/www/delivery/afr2.php?zoneid=8&domain=na:&cb=26503&clid=40
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 18:49:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
C:\WINDOWS\system32\ence55.exe [1992] 0x89EF0818
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora92\bin\omtsreco.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\searchindexer.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2008-09-30 18:53:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-30 22:52:59
Pre-Run: 334,196,736 bytes free
Post-Run: 547,721,216 bytes free
327
Hijackthis (booted in normal mode):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17, on 2008-09-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
c:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\oracle\ora92\bin\omtsreco.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.think-adz.com/www/delivery/afr2.php?zoneid=8&domain=na:&cb=26503&clid=40
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "c:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105558117276
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.honeywell.com/pki/VSApps/vspta3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\Software\..\Telephony: DomainName = global.ds.honeywell.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: ence55 - Unknown owner - C:\WINDOWS\system32\ence55.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - c:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7658 bytes
Thank you!
pskelley
2008-10-01, 03:01
Thanks for returning your information. Could you tell me what this service is?
O23 - Service: ence55 - Unknown owner - C:\WINDOWS\system32\ence55.exe
Now read this information:
Note: We do not support the use of illegal Pirated/Warez/Cracked software.
Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Therefore you will be asked to remove any cracked programs and in the case of your operating system, to obtain a valid licensed copy.
The junk combofix removed is full of evidence of illegal activities, there is no wonder this computer was infected.
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\PowerDVD v7.0 MULTILANGUAGE crack TFT.zip~
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\WinZip.Pro.v11.0.Beta KEYGEN-FFF.torrent
D:\Documents and Settings\e184081\Application Data\Microsoft\dtsc\WinZip.Pro.v11.0.Beta KEYGEN-FFF.zip
I am considering if I should even continue here?
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
lmarello
2008-10-01, 03:31
This is a company laptop I confenscated from an employee of mine last week, that I believe was abusing the privilage of having a company asset. I am not sure what all is on here. The only items that should on here are what the IT department loaded when new. When I began using this laptop a week ago it was completely unusable, some horrible viruses. I have asked the mentioned employee what the laptop was used for and he would not provide a convincing answer. I have tried to remove all unnecessary files/programs but apparently I was unsuccessful! Some of the HOST files you mentioned you did not want to see refernced some absolutley inapproprate websites...I would have been completely embarrassed to have posed them on this forum, even if they weren't mine!
I understand your statements and I totally understand if you do not want to help anymore. I will try to back up my business data and try to get it refreshed (which I was hoping to aviod due to lead time as I have to send it out).
Thank you for your help and if this is the end I really appreciate all you have done, you were wonderful!
pskelley
2008-10-01, 11:59
I appreciate you being candid, having had a look at some of the stuff that was downloaded, I am going to post this information and suggest you review it.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
http://forums.spybot.info/showthread.php?t=288 <<< view this
Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.
Your organization must give their permission for assistance to be received in the removal of malware. The intention of this forum is not to replace a company's IT department.
More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.
Please inform your IT department or Supervisor when a workplace computer has been infected, immediately.
Thanks for your understanding.
I am going to suggest that you turn this computer over to the IT department so they can reformat to the original state.
Having said that, since we are this far, if you wish to continue to clean it as good as we can, continue with the instructions I posted for the
Malwarebytes' Anti-Malware scan.
Thanks...Phil