PDA

View Full Version : HP6535, XP Pro LOGS



mjhampstead
2006-10-24, 01:37
Hya I've been working on my neighbor's system since last Thursday and have followed the steps you require. After everything that I've removed, I can hardly believe what's still on this system.

thanks in advance for your help

Here is the Panda scan log



Incident Status Location

Virus:W32/SpyWorld.A Disinfected C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll
Dialer:Dialer.NO Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS1862.exe
Dialer:Dialer.NO Not disinfected C:\WINDOWS\Downloaded Program Files\gdnUS1862.exe
Dialer:dialer.xd Not disinfected C:\WINDOWS\switchagreement.txt
Spyware:Spyware/Smitfraud Not disinfected C:\WINDOWS\system32\InetUpd.html
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\kilacln.exe[KillAndCleanUpdate.exe]
Virus:Trj/Downloader.FFU Disinfected C:\WINDOWS\system32\unaIU.exe
Adware:Adware/RazeSpyware Not disinfected C:\WINDOWS\system32\{2327DA27-6D77-4FB2-8702-46C6897F120E}.exe
Potentially unwanted tool:Application/MonacoGoldCasino Not disinfected C:\WINDOWS\system32\{E6577EAF-B17B-41E9-91AF-12D47F747B93}.exe
Here is the HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 4:09:10 PM, on 10/23/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\MJHUtilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132603295099
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C64304AB-A624-4270-9F18-8AE525DA5F9C}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O20 - AppInit_DLLs: sysmain.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

LonnyRJones
2006-10-24, 07:04
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt)

Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

mjhampstead
2006-10-24, 16:14
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSDBK.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSDBK.EXE 51,256 2006-07-10

Other suspects.
Directory of C:\WINDOWS\system32
{3BE70AAA-E96A-40B6-9004-70EAF0B0FD00}.exe
{4BC8E468-D9D5-4E55-B6EE-EDABAE6DB10F}.exe
{2ADF7D11-C6A3-408C-AA32-A4666418AA29}.exe
{B3EBF17B-3A9A-43E4-BB15-F79ACFDBB301}.exe
{F2C522D2-A4C0-4DAA-B18C-608462A99258}.exe
{0D64A67F-FC61-40B0-89B3-788AA30C6C3F}.exe
{474080FE-D48E-414C-B4D3-D8319980C6D8}.exe
{E5AD7EE0-3E3B-4244-BFC1-4265ECCAEE30}.exe
{CDE94675-E976-488A-AE97-0B6FFCD502A8}.exe
{6F3BDDF6-F806-4C74-9EC6-C94B5FD98FD2}.exe
{07486450-9826-446C-A483-1AF5D9AEB43E}.exe
{E6577EAF-B17B-41E9-91AF-12D47F747B93}.exe
{BE2A959D-8716-4BF4-8181-00EC61638D9F}.exe
{2327DA27-6D77-4FB2-8702-46C6897F120E}.exe
{CEC32767-70BF-4CA2-A4CC-3A4A4F48F411}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

mjhampstead
2006-10-24, 16:15
ComboFix 06.10.19 - Running from: "C:\MJHUtilities\Combofi7x"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator\Application Data\Install.dat


((((((((((((((((((((((((((((((( Files Created from 2006-09-24 to 2006-10-24 ))))))))))))))))))))))))))))))))))


2006-10-24 06:42 51,256 --a------ C:\WINDOWS\system32\csdbk.exe
2006-10-22 12:34 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-22 12:34 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-22 12:34 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-10-22 12:34 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-22 12:33 816,288 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-22 09:03 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-10-20 11:59 4,608 --a------ C:\WINDOWS\system32\{3BE70AAA-E96A-40B6-9004-70EAF0B0FD00}.exe
2006-10-20 11:46 4,608 --a------ C:\WINDOWS\system32\{4BC8E468-D9D5-4E55-B6EE-EDABAE6DB10F}.exe
2006-10-20 11:40 4,608 --a------ C:\WINDOWS\system32\{2ADF7D11-C6A3-408C-AA32-A4666418AA29}.exe
2006-10-20 11:33 4,608 --a------ C:\WINDOWS\system32\{B3EBF17B-3A9A-43E4-BB15-F79ACFDBB301}.exe
2006-10-20 11:27 4,608 --a------ C:\WINDOWS\system32\{F2C522D2-A4C0-4DAA-B18C-608462A99258}.exe
2006-10-20 11:24 32,768 --a------ C:\WINDOWS\system32\six.exe
2006-10-20 11:13 4,608 --a------ C:\WINDOWS\system32\{0D64A67F-FC61-40B0-89B3-788AA30C6C3F}.exe
2006-10-20 11:02 4,608 --a------ C:\WINDOWS\system32\{474080FE-D48E-414C-B4D3-D8319980C6D8}.exe
2006-10-20 10:53 4,608 --a------ C:\WINDOWS\system32\{E5AD7EE0-3E3B-4244-BFC1-4265ECCAEE30}.exe
2006-10-20 10:47 4,608 --a------ C:\WINDOWS\system32\{CDE94675-E976-488A-AE97-0B6FFCD502A8}.exe
2006-10-20 10:40 4,608 --a------ C:\WINDOWS\system32\{6F3BDDF6-F806-4C74-9EC6-C94B5FD98FD2}.exe
2006-10-19 13:49 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2006-10-19 12:19 159,744 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2006-10-19 12:18 51 --a------ C:\WINDOWS\WFXDEL.BAT
2006-10-19 12:12 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2006-10-19 12:12 252,176 --a------ C:\WINDOWS\system32\msrd2x35.dll
2006-10-19 12:12 24,848 --a------ C:\WINDOWS\system32\msjter35.dll
2006-10-19 12:12 123,664 --a------ C:\WINDOWS\system32\Msjint35.dll
2006-10-19 12:12 1,046,288 --a------ C:\WINDOWS\system32\msjet35.dll
2006-10-19 12:07 94,208 --a------ C:\WINDOWS\system32\msstkprp.dll
2006-10-19 12:07 306,688 --a------ C:\WINDOWS\IsUninst.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-24 08:01 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-23 15:00 -------- d-------- C:\Program Files\Internet Explorer
2006-10-22 12:33 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-21 07:25 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-21 07:24 -------- d-------- C:\Program Files\Symantec
2006-10-20 11:59 4608 --a------ C:\WINDOWS\system32\{3BE70AAA-E96A-40B6-9004-70EAF0B0FD00}.exe
2006-10-20 11:46 4608 --a------ C:\WINDOWS\system32\{4BC8E468-D9D5-4E55-B6EE-EDABAE6DB10F}.exe
2006-10-20 11:40 4608 --a------ C:\WINDOWS\system32\{2ADF7D11-C6A3-408C-AA32-A4666418AA29}.exe
2006-10-20 11:33 4608 --a------ C:\WINDOWS\system32\{B3EBF17B-3A9A-43E4-BB15-F79ACFDBB301}.exe
2006-10-20 11:27 4608 --a------ C:\WINDOWS\system32\{F2C522D2-A4C0-4DAA-B18C-608462A99258}.exe
2006-10-20 11:13 4608 --a------ C:\WINDOWS\system32\{0D64A67F-FC61-40B0-89B3-788AA30C6C3F}.exe
2006-10-20 11:02 4608 --a------ C:\WINDOWS\system32\{474080FE-D48E-414C-B4D3-D8319980C6D8}.exe
2006-10-20 10:53 4608 --a------ C:\WINDOWS\system32\{E5AD7EE0-3E3B-4244-BFC1-4265ECCAEE30}.exe
2006-10-20 10:47 4608 --a------ C:\WINDOWS\system32\{CDE94675-E976-488A-AE97-0B6FFCD502A8}.exe
2006-10-20 10:40 4608 --a------ C:\WINDOWS\system32\{6F3BDDF6-F806-4C74-9EC6-C94B5FD98FD2}.exe
2006-10-20 10:24 -------- d-------- C:\Program Files\Norton SystemWorks
2006-10-20 10:23 -------- d-------- C:\Program Files\Common Files
2006-10-19 14:09 -------- d-------- C:\Program Files\TrojanHunter 4.5
2006-10-19 13:26 -------- d-------- C:\Program Files\Belarc
2006-10-19 12:08 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2006-10-19 01:26 -------- d-------- C:\Program Files\CCleaner
2006-09-29 07:16 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MailWasher
2006-09-05 07:38 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2006-08-08 13:43 49169 --a------ C:\WINDOWS\system32\{07486450-9826-446C-A483-1AF5D9AEB43E}.exe
2006-08-02 07:37 278045 --a------ C:\WINDOWS\system32\{E6577EAF-B17B-41E9-91AF-12D47F747B93}.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"bobza.exe"="C:\\WINDOWS\\System32\\bobza.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180sa]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="180sa"
"hkey"="HKLM"
"command"="c:\\program files\\180search assistant\\180sa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgemc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootWarn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BootWarn"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton AntiVirus\\BootWarn.exe /a"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoundRec]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyElim"
"hkey"="HKCU"
"command"="SpyElim.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmon14]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsNetHelper"
"hkey"="HKCU"
"command"="MsNetHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmoqq.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dmoqq"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dmoqq.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KillAndClean]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KillAndClean"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\KillAndClean\\KillAndClean.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MEDIAG~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MEDIAG~1\\MEDIAG~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Network Services Controller]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmsvc32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\mmsvc32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms-its]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="10010"
"hkey"="HKLM"
"command"="10010.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navapw32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\navapw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Cfgwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\Cfgwiz.exe /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ozih]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ozih"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ozih.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runload32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Brong32"
"hkey"="HKCU"
"command"="Brong32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Redirect]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sysbho"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\sysbho.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Weather"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.exe 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WFXSwtch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WFXSWTCH"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\WinFax\\WFXSWTCH.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xxtoolbar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="porka_"
"hkey"="HKLM"
"command"="porka_.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061019-164251-871
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
Completion time: 06-10-24 8:49:15.27
C:\ComboFix.txt ... 06-10-24 08:49

LonnyRJones
2006-10-29, 08:58
I had not know you replied, sorry for the delay.

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


Windows Registry Editor Version 5.00
;
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"bobza.exe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180sa]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmon14]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmoqq.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KillAndClean]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Network Services Controller]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms-its]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ozih]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runload32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Redirect]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xxtoolbar]
;


Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\system32\unaIU.exe
C:\WINDOWS\SYSTEM32\CSDBK.EXE
C:\WINDOWS\system32\six.exe
C:\WINDOWS\system32\{3BE70AAA-E96A-40B6-9004-70EAF0B0FD00}.exe
C:\WINDOWS\system32\{4BC8E468-D9D5-4E55-B6EE-EDABAE6DB10F}.exe
C:\WINDOWS\system32\{2ADF7D11-C6A3-408C-AA32-A4666418AA29}.exe
C:\WINDOWS\system32\{B3EBF17B-3A9A-43E4-BB15-F79ACFDBB301}.exe
C:\WINDOWS\system32\{F2C522D2-A4C0-4DAA-B18C-608462A99258}.exe
C:\WINDOWS\system32\{0D64A67F-FC61-40B0-89B3-788AA30C6C3F}.exe
C:\WINDOWS\system32\{474080FE-D48E-414C-B4D3-D8319980C6D8}.exe
C:\WINDOWS\system32\{E5AD7EE0-3E3B-4244-BFC1-4265ECCAEE30}.exe
C:\WINDOWS\system32\{CDE94675-E976-488A-AE97-0B6FFCD502A8}.exe
C:\WINDOWS\system32\{6F3BDDF6-F806-4C74-9EC6-C94B5FD98FD2}.exe
C:\WINDOWS\system32\{07486450-9826-446C-A483-1AF5D9AEB43E}.exe
C:\WINDOWS\system32\{E6577EAF-B17B-41E9-91AF-12D47F747B93}.exe
C:\WINDOWS\system32\{BE2A959D-8716-4BF4-8181-00EC61638D9F}.exe
C:\WINDOWS\system32\{2327DA27-6D77-4FB2-8702-46C6897F120E}.exe
C:\WINDOWS\system32\{CEC32767-70BF-4CA2-A4CC-3A4A4F48F411}.exe
C:\WINDOWS\switchagreement.txt
C:\WINDOWS\system32\InetUpd.html
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS1862.exe
C:\WINDOWS\Downloaded Program Files\gdnUS1862.exe


Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.


Post a fresh Hijackthis og and mention any current problems.

mjhampstead
2006-10-29, 15:21
Good Morning

I ran the above, both in SAFEMODE.

The HJT report follows.

I also ran another Panda ActiveScan which still showed numerous issues. That log is included following the HJT. How can we get rid of the rogue dialers?

Now what?

thanks
mjh


Logfile of HijackThis v1.99.1
Scan saved at 6:58:40 AM, on 10/29/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\MJHUtilities\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Comodo Launch Pad Tray] "C:\Program Files\Comodo\LaunchPad\CLPTray.exe"
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132603295099
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

-------------



Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
Dialer:Dialer.NO Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS1862.exe
Dialer:Dialer.NO Not disinfected C:\WINDOWS\Downloaded Program Files\gdnUS1862.exe
Dialer:dialer.xd Not disinfected C:\WINDOWS\switchagreement.txt
Spyware:Spyware/Smitfraud Not disinfected C:\WINDOWS\system32\InetUpd.html
Adware:Adware/RazeSpyware Not disinfected C:\WINDOWS\system32\{2327DA27-6D77-4FB2-8702-46C6897F120E}.exe
Adware:Adware/QuickWeb Not disinfected C:\WINDOWS\system32\{CEC32767-70BF-4CA2-A4CC-3A4A4F48F411}.exe
Potentially unwanted tool:Application/MonacoGoldCasino Not disinfected C:\WINDOWS\system32\{E6577EAF-B17B-41E9-91AF-12D47F747B93}.exe

LonnyRJones
2006-10-29, 17:31
Those files shouldnt be there after we used Killbox
either try again with Killbox or delete them yourself manualy

Post a hijackthis log taken while not in safe mode, not sure why you did one there.

You still have norton antivirus installed ?

Why havent you ever undated your windows ?


For future referance never never start to safe mode with networking, your antivirus and firewall dont run there unless you start them manualy.

mjhampstead
2006-10-29, 20:02
Hi

This is my neighbor's computer I've been trying for 2.5 weeks to clean up for him. At that point it took about 35 minutes to load the desktop and no applications would run.

I understood that WIN Updates should not be installed until after a system was clean. I also understood that HJT was to be run in SAFEMODE.

I ran the prg Killbox again and then HJT in Normal mode. I checked for files remaining from the Panda list and could find none in the indicated Folders. I again tried to get rid of the two Norton's entries and was finally successful. Those refued to be removed via Uninstall.

Hopefully, this system is now clean emough to install WIN updates.

What do you think and thanks again.

mjh


Logfile of HijackThis v1.99.1
Scan saved at 12:50:01 PM, on 10/29/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\LaunchPad\CLPTray.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\MJHUtilities\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Comodo Launch Pad Tray] "C:\Program Files\Comodo\LaunchPad\CLPTray.exe"
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132603295099
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

LonnyRJones
2006-10-29, 20:11
I would cleanup after norton first before the windows updates
http://basconotw.mvps.org/SymRem.htm

Then if there are no problems after using the pc for atleast a full day do go get the updates.

mjhampstead
2006-10-30, 01:02
Do you think that the two Norton entries can just be removed via HJT?

I read the link you provided and had gone to Norton's site a couple of weeks ago. Specifically I know that this was an installation of Norton SystemWorks 2002 where the antivirus was unintentionally installed.

I could not find specific instructions for NSW 2002 on WIN XP Pro not fully SP2.

Would another approach be to exit AVGFree and reinstall NSW2002 and then try to uninstall it again?

I do hope you see this..... I am cautious about proceeding blindly so to speak. This system has come back a long way.

Thanks again.

LonnyRJones
2006-10-30, 06:14
Thats up to you, i would use
"2003 and earlier Removal tools"
http://basconotw.mvps.org/SymRem.htm
Rather than installing norton

"be removed via HJT?" It appears you already did that, id still use the tools above

mjhampstead
2006-10-30, 14:00
Lonni

OK, will do and I will report back. Last night I also found a page on Norton re 2002 that I could not find before. So between the two, I am comfortable with moving ahead.

Thanks again
mjh

mjhampstead
2006-10-30, 14:01
And, since I cannot edit the msg above....

It seems like I removed two named Norton via HJT, but there are another two named Symantec.

LonnyRJones
2006-10-31, 09:27
I was mainly concerned symantec antivirus

LonnyRJones
2006-11-12, 08:44
Im Glad we could help
Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).