Fred47
2008-10-02, 19:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:14 PM, on 10/2/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
--
End of file - 2322 bytes
My HJT log looks ok, or it's always shown like this. It was when I looked at the 'system startup' under tools in Spybot that I got spooked. I'm using a seven yo Gateway, and now I'm terrified of hooking my new computer with Vista if this is gonna happen. I really am not certain how this happened.
Here is a copy of the report from Spybot:
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-09-29 unins000.exe (51.49.0.0)
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 advcheck.dll (1.6.1.12)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-07-07 Tools.dll (2.1.5.7)
2008-06-14 DelZip179.dll (1.79.11.1)
2007-04-02 aports.dll (2.1.0.0)
2008-06-19 sqlite3.dll
2008-09-02 Includes\Dialer.sbi
2008-06-03 Includes\Cookies.sbi
2007-11-07 Includes\Revision.sbi
2008-09-02 Includes\Hijackers.sbi
2008-09-09 Includes\Malware.sbi
2008-09-09 Includes\Keyloggers.sbi
2008-09-02 Includes\PUPS.sbi
2008-06-18 Includes\Security.sbi
2008-06-03 Includes\Spybots.sbi
2008-09-09 Includes\Spyware.sbi
2008-09-02 Includes\Adware.sbi
2008-09-30 Includes\Trojans.sbi
2008-06-03 Includes\Tracks.uti
2008-09-30 Includes\TrojansC.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-09-30 Includes\SecurityC.sbi
2008-09-11 Includes\PUPSC.sbi
2008-09-30 Includes\MalwareC.sbi
2008-09-30 Includes\KeyloggersC.sbi
2008-09-02 Includes\HijackersC.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-09-09 Includes\AdwareC.sbi
2008-09-23 Includes\SpywareC.sbi
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
--- System information ---
Windows ME (Build: 3000) (4.90.3000)
/ DirectX: Windows Update 904706
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player: Windows Media Update Q308567
/ Windows Media Player: Windows Media Update 917734
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
--- Startup entries list ---
Located: HK_LM:Run, avast! Web Scanner
command: C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
file: C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
size: 348344
MD5: B2203D1A09CAC8232780BFCF01A9B853
Located: HK_LM:Run, MSConfigReminder
command: C:\WINDOWS\SYSTEM\msconfig.exe /reminder
file: C:\WINDOWS\SYSTEM\msconfig.exe
size: 110592
MD5: 2A33B8C3A0CB8B4B47922C41C20BFA53
Located: HK_LM:Run, ScanRegistry
command: C:\WINDOWS\scanregw.exe /autorun
file: C:\WINDOWS\scanregw.exe
size: 126976
MD5: 548AE8C51870EC245DAC589B9BF271FC
Located: HK_LM:Run, Tweak UI
command: RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
file: C:\WINDOWS\SYSTEM\TWEAKUI.CPL
size: 106544
MD5: 60C0F454521212A09ED0961050128C63
Located: HK_LM:Run, Zone Labs Client
command: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 755480
MD5: B4E843DED6DAF99AEC3FBFE395E643C7
Located: HK_LM:RunServices, *StateMgr
command: C:\WINDOWS\System\Restore\StateMgr.exe
file: C:\WINDOWS\System\Restore\StateMgr.exe
size: 24848
MD5: 02282C55DC8B1BF1FF1180C98D7337D6
Located: HK_LM:RunServices, avast!
command: C:\Program Files\Alwil Software\Avast4\ashServ.exe
file: C:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 147640
MD5: 58E57D723BD437049F74408016E1735D
Located: HK_LM:RunServices, TrueVector
command: C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
file: C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
size: 1693464
MD5: 8E435AA1E7BF468ACAFE36C67BCC0AF6
Located: HK_LM:Run, EnsoniqMixer (DISABLED)
command: C:\WINDOWS\starter.exe
file: C:\WINDOWS\starter.exe
size: 32768
MD5: 704FC00D3EDF71ED6166A535BA0697C6
Located: HK_LM:Run, Gateway Ink Monitor (DISABLED)
command: C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
file: C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
size: 249926
MD5: C46712A025CDDB051B89CD8219F42F15
Located: HK_LM:Run, GWMDMMSG (DISABLED)
command: GWMDMMSG.exe
file: C:\WINDOWS\GWMDMMSG.exe
size: 100915
MD5: 9E6952EE224491DA97A3741E3ADC4A4C
Located: HK_LM:Run, GWMDMpi (DISABLED)
command: C:\WINDOWS\GWMDMpi.exe
file: C:\WINDOWS\GWMDMpi.exe
size: 40960
MD5: F9BF4A22696BC91D5E5D72DEEBA5EC79
Located: HK_LM:Run, LoadPowerProfile (DISABLED)
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\SYSTEM\powrprof.dll
size: 25872
MD5: 3A1CE91C65E664565E9A2749EFE20071
Located: HK_LM:Run, PCHealth (DISABLED)
command: C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
file: C:\WINDOWS\PCHealth\Support\PCHSchd.exe
size: 24848
MD5: 37556315E7DADD5EE414B5A438B7843D
Located: HK_LM:Run, TaskMonitor (DISABLED)
command: C:\WINDOWS\taskmon.exe
file: C:\WINDOWS\taskmon.exe
size: 28672
MD5: A23BCA4B69AC68FD410B6AFCCB11AF07
Located: HK_LM:RunServices, KB891711 (DISABLED)
command: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
file: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
size: 9088
MD5: CBD841775A04E82B2828FC301AAFEE70
Located: HK_LM:RunServices, KB918547 (DISABLED)
command: C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
file: C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
size: 8256
MD5: E5C7486D02E0D17E11C840694A5C55B5
Located: HK_LM:RunServices, LoadPowerProfile (DISABLED)
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\SYSTEM\powrprof.dll
size: 25872
MD5: 3A1CE91C65E664565E9A2749EFE20071
Located: HK_LM:RunServices, SchedulingAgent (DISABLED)
command: mstask.exe
file: C:\WINDOWS\SYSTEM\mstask.exe
size: 126976
MD5: 6770EAF1DFB8D3C952DCA22CD956F570
Located: HK_CU:Run, SpybotSD TeaTimer
where: .DEFAULT...
command: C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
file: C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6
Located: System.ini, Shell
where: C:\WINDOWS\system.ini...
command: Explorer.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 10/2/2008 3:01:26 AM
Date (last access): 10/2/2008
Date (last write): 9/15/2008 2:25:44 PM
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\SYSTEM\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
{9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class)
DPF name:
CLSID name: Update Class
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?39675.6497916667
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\
Long name: iuctl.dll
Short name: IUCTL.DLL
Date (created): 8/21/2003 4:47:54 PM
Date (last access): 10/2/2008
Date (last write): 8/21/2003 4:47:54 PM
Filesize: 162400
Attributes:
MD5: DB2F1F57D3057FEBC19C61AB9AA77198
CRC32: 5A03D776
Version: 5.3.3790.13
--- Process list ---
PID: -15772139 (2123311093) C:\WINDOWS\SYSTEM\KERNEL32.DLL
size: 536576
MD5: 629E271A615588E918D6B27D5E4A5265
PID: -28491 (-15772139) C:\WINDOWS\SYSTEM\MSGSRV32.EXE
size: 11776
MD5: 4B7546E40EA1EACEEB330CB4D259265A
PID: -118599 (-28491) C:\WINDOWS\SYSTEM\mmtask.tsk
size: 1184
MD5: 269231E21D558D468CFC1C03FB463768
PID: -115995 (-28491) C:\WINDOWS\SYSTEM\MPREXE.EXE
size: 28672
MD5: 207AA0E020D4DE978F459B3AC11AC230
PID: -126851 (-115995) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
size: 147640
MD5: 58E57D723BD437049F74408016E1735D
PID: -81951 (-115995) C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
size: 1693464
MD5: 8E435AA1E7BF468ACAFE36C67BCC0AF6
PID: -85559 (-28491) C:\WINDOWS\EXPLORER.EXE
size: 225280
MD5: 872F3BA51320560952DBA06CC66FEBF6
PID: -165695 (-122963) C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
size: 61712
MD5: 2D4F40BBF88E1A131DEE7DABBE61E4B6
PID: -155815 (-85559) C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
size: 755480
MD5: B4E843DED6DAF99AEC3FBFE395E643C7
PID: -232811 (-85559) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
size: 348344
MD5: B2203D1A09CAC8232780BFCF01A9B853
PID: -241575 (-85559) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6
PID: -245015 (-126851) C:\WINDOWS\SYSTEM\RPCSS.EXE
size: 20480
MD5: 4B2B2C8D58E36EFEDFFA8D96DCF07089
PID: -402439 (-437043) C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
size: 196685
MD5: E7DF5F6EA76028C573DE6FE316D79816
PID: -399571 (-85559) C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: EB9EAF627F705525D01DE5FA07EA1818
PID: -466319 (-399571) C:\WINDOWS\SYSTEM\DDHELP.EXE
size: 32768
MD5: 0B59A22EEA45A9032A3C4ECA40D3BA93
PID: -543691 (-85559) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 10/2/2008 1:21:28 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MS.w95.spi.osp
GUID: {FF017DE1-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\mswsosp.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\mswsosp.dll
DB protocol: MS.w95.spi.*
Protocol 1: MS.w95.spi.tcp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*
Protocol 2: MS.w95.spi.udp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*
Protocol 3: MS.w95.spi.raw
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*
Protocol 4: MS.w95.spi.rsvptcp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*
Protocol 5: MS.w95.spi.rsvpudp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*
Namespace Provider 0: DNS Name Space Provider.
GUID: {FF017DE2-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\rnr20.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\rnr20.dll
DB protocol: DNS Name Space Provider.
When I went to 'Tools/System Startup' I had this new entry that I'm unable to delete or ucheck:
System.ini(C:\Windows\System.ini) Shell Explorer
When I checked on the entry and moved the bar over these are all the Trojans I found:
Badsector, Goldun, Small-DL, GP, ZLOB, Doyorg, KakKeys, Kipis-U, Torpig- C, Torpig-J, Bancban-FT, Agent-FD, Anserin and Goldspy.
These are the various filenames indicated:
Shell32.exe, ray.exe, Tray.exe, wmedia16.exe, Open.32.exe, Explorer.exe sound-drive16.exe, Explorer.exe, msmsgs.exe, Explorer.exe(path)svchost.exe, explorer.exe, iexplore.exe, ibm0000* (*=digit), taskmrg.exe, ibm(RANDOM 5 DIGIT NUMBER).exe, svchost.exe, and ibm00001.dll.
Now I'm terrified to use my new Vista online. I was thinking it might just be easier to re-install seeing I've the installation disks. I had my cable modem hooked up while installing zone alarm, could that have done all this? I do Yahoo messenger, could they do something like this? Also, I may have to re-install Spybot, cause TeaTimer is all of a sudden not showing in tray or hanging up computer, which it never did.
Ok, Thank You
Fred
If I send a cash donation, will it get to you ok? I now no longer trust debit or credit online.
Scan saved at 1:16:14 PM, on 10/2/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
--
End of file - 2322 bytes
My HJT log looks ok, or it's always shown like this. It was when I looked at the 'system startup' under tools in Spybot that I got spooked. I'm using a seven yo Gateway, and now I'm terrified of hooking my new computer with Vista if this is gonna happen. I really am not certain how this happened.
Here is a copy of the report from Spybot:
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-09-29 unins000.exe (51.49.0.0)
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 advcheck.dll (1.6.1.12)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-07-07 Tools.dll (2.1.5.7)
2008-06-14 DelZip179.dll (1.79.11.1)
2007-04-02 aports.dll (2.1.0.0)
2008-06-19 sqlite3.dll
2008-09-02 Includes\Dialer.sbi
2008-06-03 Includes\Cookies.sbi
2007-11-07 Includes\Revision.sbi
2008-09-02 Includes\Hijackers.sbi
2008-09-09 Includes\Malware.sbi
2008-09-09 Includes\Keyloggers.sbi
2008-09-02 Includes\PUPS.sbi
2008-06-18 Includes\Security.sbi
2008-06-03 Includes\Spybots.sbi
2008-09-09 Includes\Spyware.sbi
2008-09-02 Includes\Adware.sbi
2008-09-30 Includes\Trojans.sbi
2008-06-03 Includes\Tracks.uti
2008-09-30 Includes\TrojansC.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-09-30 Includes\SecurityC.sbi
2008-09-11 Includes\PUPSC.sbi
2008-09-30 Includes\MalwareC.sbi
2008-09-30 Includes\KeyloggersC.sbi
2008-09-02 Includes\HijackersC.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-09-09 Includes\AdwareC.sbi
2008-09-23 Includes\SpywareC.sbi
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
--- System information ---
Windows ME (Build: 3000) (4.90.3000)
/ DirectX: Windows Update 904706
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player: Windows Media Update Q308567
/ Windows Media Player: Windows Media Update 917734
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
--- Startup entries list ---
Located: HK_LM:Run, avast! Web Scanner
command: C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
file: C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
size: 348344
MD5: B2203D1A09CAC8232780BFCF01A9B853
Located: HK_LM:Run, MSConfigReminder
command: C:\WINDOWS\SYSTEM\msconfig.exe /reminder
file: C:\WINDOWS\SYSTEM\msconfig.exe
size: 110592
MD5: 2A33B8C3A0CB8B4B47922C41C20BFA53
Located: HK_LM:Run, ScanRegistry
command: C:\WINDOWS\scanregw.exe /autorun
file: C:\WINDOWS\scanregw.exe
size: 126976
MD5: 548AE8C51870EC245DAC589B9BF271FC
Located: HK_LM:Run, Tweak UI
command: RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
file: C:\WINDOWS\SYSTEM\TWEAKUI.CPL
size: 106544
MD5: 60C0F454521212A09ED0961050128C63
Located: HK_LM:Run, Zone Labs Client
command: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 755480
MD5: B4E843DED6DAF99AEC3FBFE395E643C7
Located: HK_LM:RunServices, *StateMgr
command: C:\WINDOWS\System\Restore\StateMgr.exe
file: C:\WINDOWS\System\Restore\StateMgr.exe
size: 24848
MD5: 02282C55DC8B1BF1FF1180C98D7337D6
Located: HK_LM:RunServices, avast!
command: C:\Program Files\Alwil Software\Avast4\ashServ.exe
file: C:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 147640
MD5: 58E57D723BD437049F74408016E1735D
Located: HK_LM:RunServices, TrueVector
command: C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
file: C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
size: 1693464
MD5: 8E435AA1E7BF468ACAFE36C67BCC0AF6
Located: HK_LM:Run, EnsoniqMixer (DISABLED)
command: C:\WINDOWS\starter.exe
file: C:\WINDOWS\starter.exe
size: 32768
MD5: 704FC00D3EDF71ED6166A535BA0697C6
Located: HK_LM:Run, Gateway Ink Monitor (DISABLED)
command: C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
file: C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
size: 249926
MD5: C46712A025CDDB051B89CD8219F42F15
Located: HK_LM:Run, GWMDMMSG (DISABLED)
command: GWMDMMSG.exe
file: C:\WINDOWS\GWMDMMSG.exe
size: 100915
MD5: 9E6952EE224491DA97A3741E3ADC4A4C
Located: HK_LM:Run, GWMDMpi (DISABLED)
command: C:\WINDOWS\GWMDMpi.exe
file: C:\WINDOWS\GWMDMpi.exe
size: 40960
MD5: F9BF4A22696BC91D5E5D72DEEBA5EC79
Located: HK_LM:Run, LoadPowerProfile (DISABLED)
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\SYSTEM\powrprof.dll
size: 25872
MD5: 3A1CE91C65E664565E9A2749EFE20071
Located: HK_LM:Run, PCHealth (DISABLED)
command: C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
file: C:\WINDOWS\PCHealth\Support\PCHSchd.exe
size: 24848
MD5: 37556315E7DADD5EE414B5A438B7843D
Located: HK_LM:Run, TaskMonitor (DISABLED)
command: C:\WINDOWS\taskmon.exe
file: C:\WINDOWS\taskmon.exe
size: 28672
MD5: A23BCA4B69AC68FD410B6AFCCB11AF07
Located: HK_LM:RunServices, KB891711 (DISABLED)
command: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
file: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
size: 9088
MD5: CBD841775A04E82B2828FC301AAFEE70
Located: HK_LM:RunServices, KB918547 (DISABLED)
command: C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
file: C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
size: 8256
MD5: E5C7486D02E0D17E11C840694A5C55B5
Located: HK_LM:RunServices, LoadPowerProfile (DISABLED)
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\SYSTEM\powrprof.dll
size: 25872
MD5: 3A1CE91C65E664565E9A2749EFE20071
Located: HK_LM:RunServices, SchedulingAgent (DISABLED)
command: mstask.exe
file: C:\WINDOWS\SYSTEM\mstask.exe
size: 126976
MD5: 6770EAF1DFB8D3C952DCA22CD956F570
Located: HK_CU:Run, SpybotSD TeaTimer
where: .DEFAULT...
command: C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
file: C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6
Located: System.ini, Shell
where: C:\WINDOWS\system.ini...
command: Explorer.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 10/2/2008 3:01:26 AM
Date (last access): 10/2/2008
Date (last write): 9/15/2008 2:25:44 PM
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\SYSTEM\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
{9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class)
DPF name:
CLSID name: Update Class
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?39675.6497916667
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\
Long name: iuctl.dll
Short name: IUCTL.DLL
Date (created): 8/21/2003 4:47:54 PM
Date (last access): 10/2/2008
Date (last write): 8/21/2003 4:47:54 PM
Filesize: 162400
Attributes:
MD5: DB2F1F57D3057FEBC19C61AB9AA77198
CRC32: 5A03D776
Version: 5.3.3790.13
--- Process list ---
PID: -15772139 (2123311093) C:\WINDOWS\SYSTEM\KERNEL32.DLL
size: 536576
MD5: 629E271A615588E918D6B27D5E4A5265
PID: -28491 (-15772139) C:\WINDOWS\SYSTEM\MSGSRV32.EXE
size: 11776
MD5: 4B7546E40EA1EACEEB330CB4D259265A
PID: -118599 (-28491) C:\WINDOWS\SYSTEM\mmtask.tsk
size: 1184
MD5: 269231E21D558D468CFC1C03FB463768
PID: -115995 (-28491) C:\WINDOWS\SYSTEM\MPREXE.EXE
size: 28672
MD5: 207AA0E020D4DE978F459B3AC11AC230
PID: -126851 (-115995) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
size: 147640
MD5: 58E57D723BD437049F74408016E1735D
PID: -81951 (-115995) C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
size: 1693464
MD5: 8E435AA1E7BF468ACAFE36C67BCC0AF6
PID: -85559 (-28491) C:\WINDOWS\EXPLORER.EXE
size: 225280
MD5: 872F3BA51320560952DBA06CC66FEBF6
PID: -165695 (-122963) C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
size: 61712
MD5: 2D4F40BBF88E1A131DEE7DABBE61E4B6
PID: -155815 (-85559) C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
size: 755480
MD5: B4E843DED6DAF99AEC3FBFE395E643C7
PID: -232811 (-85559) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
size: 348344
MD5: B2203D1A09CAC8232780BFCF01A9B853
PID: -241575 (-85559) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6
PID: -245015 (-126851) C:\WINDOWS\SYSTEM\RPCSS.EXE
size: 20480
MD5: 4B2B2C8D58E36EFEDFFA8D96DCF07089
PID: -402439 (-437043) C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
size: 196685
MD5: E7DF5F6EA76028C573DE6FE316D79816
PID: -399571 (-85559) C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: EB9EAF627F705525D01DE5FA07EA1818
PID: -466319 (-399571) C:\WINDOWS\SYSTEM\DDHELP.EXE
size: 32768
MD5: 0B59A22EEA45A9032A3C4ECA40D3BA93
PID: -543691 (-85559) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 10/2/2008 1:21:28 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MS.w95.spi.osp
GUID: {FF017DE1-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\mswsosp.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\mswsosp.dll
DB protocol: MS.w95.spi.*
Protocol 1: MS.w95.spi.tcp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*
Protocol 2: MS.w95.spi.udp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*
Protocol 3: MS.w95.spi.raw
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*
Protocol 4: MS.w95.spi.rsvptcp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*
Protocol 5: MS.w95.spi.rsvpudp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*
Namespace Provider 0: DNS Name Space Provider.
GUID: {FF017DE2-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\rnr20.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\rnr20.dll
DB protocol: DNS Name Space Provider.
When I went to 'Tools/System Startup' I had this new entry that I'm unable to delete or ucheck:
System.ini(C:\Windows\System.ini) Shell Explorer
When I checked on the entry and moved the bar over these are all the Trojans I found:
Badsector, Goldun, Small-DL, GP, ZLOB, Doyorg, KakKeys, Kipis-U, Torpig- C, Torpig-J, Bancban-FT, Agent-FD, Anserin and Goldspy.
These are the various filenames indicated:
Shell32.exe, ray.exe, Tray.exe, wmedia16.exe, Open.32.exe, Explorer.exe sound-drive16.exe, Explorer.exe, msmsgs.exe, Explorer.exe(path)svchost.exe, explorer.exe, iexplore.exe, ibm0000* (*=digit), taskmrg.exe, ibm(RANDOM 5 DIGIT NUMBER).exe, svchost.exe, and ibm00001.dll.
Now I'm terrified to use my new Vista online. I was thinking it might just be easier to re-install seeing I've the installation disks. I had my cable modem hooked up while installing zone alarm, could that have done all this? I do Yahoo messenger, could they do something like this? Also, I may have to re-install Spybot, cause TeaTimer is all of a sudden not showing in tray or hanging up computer, which it never did.
Ok, Thank You
Fred
If I send a cash donation, will it get to you ok? I now no longer trust debit or credit online.