PDA

View Full Version : Trojan trouble/+Firewall deactivated



Mumpitz
2006-11-07, 03:49
Hi
I've had a lot of trouble with viruses and some nasty trojans including drsmartload and coolwebsearch. I ran S&D a few times in safe mode and also removed some files manually from "program files" and my C drive. now the only problem remaining (as far as I can tell) is the deactivated Firewall. How do I get it to function again? I'm sure some of these log entries shouldn't be there. Got no idea what "O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe" are for example!

Appreciate your help guys. Here's my log in full:

Logfile of HijackThis v1.99.1
Scan saved at 01:36:11, on 07/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IconDesk\IconDesk.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\YZdock\YzDock.exe
C:\Program Files\YZtoolbar\YzToolBar.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Suchspur - {5D945E9A-DC10-4670-83EB-99DAA616628A} - C:\WINDOWS\system32\Suchspur.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\IconDesk\IconDesk.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Startup: YzDock.lnk = C:\Program Files\YZdock\YzDock.exe
O4 - Startup: YzToolBar.lnk = C:\Program Files\YZtoolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159288993281
O17 - HKLM\System\CCS\Services\Tcpip\..\{7584F737-7042-46E2-A879-4F059EC0DD7D}: NameServer = 192.168.0.1,192.168.0.2
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

Mr_JAk3
2006-11-07, 10:24
Hi Mumpitz and welcome to forums :)

You got infections there...

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Mumpitz
2006-11-07, 21:38
Cheers for the quick reply Mr_Jak!
I've used my credit card on this machine and have an online bank account, so I've notified my bank. I thought I'd gotten rid of most of them (used Prevx1, is that any good???) so I wouldn't have known if you hadn't told me! I'll run combofix and submit the log (writing from another pc right now). What do you recommend generally to prevent this happening again? I use AVG, Spybot and now Prevx as well.

Again, many thanks for the speedy reply!

Mumpitz

Mumpitz
2006-11-07, 21:51
Ok, here's the Combofix log:


Owner - 07/11/2006 19:24:43.85 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Dxcdmns.dll
C:\Documents and Settings\Owner\Application Data\Dxcknwrd.dll
C:\WINDOWS\system32\bkd.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\WinNB58.dll


((((((((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007/11/2006 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2014/08/2006 10:34 332928 --a------ C:\WINDOWS\system32\drivers\srv.sys
2014/06/2006 09:00 82944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2014/06/2006 08:47 6400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2014/06/2006 08:47 172416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2013/07/2006 08:48 202240 --a------ C:\WINDOWS\system32\drivers\rmcast.sys
2012/04/2005 08:41 4608 --a------ C:\WINDOWS\system32\drivers\RegKill.sys
2011/04/2006 13:29 87808 --------- C:\WINDOWS\system32\drivers\WudfRd.sys
2011/04/2006 13:26 82944 --------- C:\WINDOWS\system32\drivers\WudfPf.sys
2010/06/2005 04:09 139528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2009/05/2006 19:58 40704 --a------ C:\WINDOWS\system32\drivers\wpdusb.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Services"="\"C:\\Program Files\\svchosts.exe\""
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,03,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4d,00,00,00,00,00,00,00,2b,05,00,00,03,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4d,00,00,00,00,00,00,00,2b,05,00,00,03,04,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

Completion time: 07/11/2006 19:44:02.03
C:\ComboFix.txt ... 07/11/2006 19:44
C:\ComboFix2.txt ... 07/11/2006 19:07

Mr_JAk3
2006-11-08, 10:02
Hi again :)

You're not clean yet, you got infections and at least one of them is a rootkit...
I'll give you prevention tips when we have got you cleaned...

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

So I need you to post 4 logs :bigthumb:

Mumpitz
2006-11-08, 19:21
Ok, three logs coming up:

************************* Rustock.b-fix -- By ejvindh *************************
08/11/2006 16:40:03.93


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69070
Total size: 69070 bytes.
Attempting to remove ADS...
system32: deleted 69070 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lpjkwdyr

*******************

Script file located at: \??\C:\Documents and Settings\pcuwxikn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Mumpitz
2006-11-08, 19:24
And the GMER log:

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-08 17:15:53
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT \??\C:\WINDOWS\system32\MZU_DRV.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT pxfsf.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT a347bus.sys ZwCreatePagingFile
SSDT pxfsf.sys ZwCreatePort
SSDT pxfsf.sys ZwCreateProcess
SSDT pxfsf.sys ZwCreateProcessEx
SSDT pxfsf.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT pxfsf.sys ZwDeleteFile
SSDT pxfsf.sys ZwDeleteKey
SSDT pxfsf.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT pxfsf.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT pxfsf.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT \??\C:\WINDOWS\system32\MZU_DRV.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\MZU_DRV.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\MZU_DRV.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\MZU_DRV.sys ZwQueryDirectoryFile
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT \??\C:\WINDOWS\system32\MZU_DRV.sys ZwQuerySystemInformation
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT pxfsf.sys ZwReplaceKey
SSDT pxfsf.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT pxfsf.sys ZwSetContextThread
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT a347bus.sys ZwSetSystemPowerState
SSDT pxfsf.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT pxfsf.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution + FE 804E4938 24 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 11A 804E4954 32 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 13E 804E4978 24 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 16E 804E49A8 8 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 17A 804E49B4 8 Bytes
.text ...

Mumpitz
2006-11-08, 19:25
GMER pt. 2



---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823C4298
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_READ 81ED52C8
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_READ 81ED52C8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8206B610
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82036BB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 8205CE70
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8205CE70
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81F2DE70
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 820EEFB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 81F32170
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 81F32170
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 81F14A38
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 81F0F5D8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_READ 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_WRITE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_EA 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82036750
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_POWER 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_PNP 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_READ 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82036750
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 8205D680
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 8205D680
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 81F0E868
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 81F0E868
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 81F0E868
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 81F0E868
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 81F0E868

---- EOF - GMER 1.0.12 ----

Mumpitz
2006-11-08, 21:17
And here's the hjt log:


Logfile of HijackThis v1.99.1
Scan saved at 19:15:55, on 08/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IconDesk\IconDesk.exe
C:\Program Files\YZtoolbar\YzToolBar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Suchspur - {5D945E9A-DC10-4670-83EB-99DAA616628A} - C:\WINDOWS\system32\Suchspur.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
O4 - HKLM\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\IconDesk\IconDesk.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Startup: YzDock.lnk = C:\Program Files\YZdock\YzDock.exe
O4 - Startup: YzToolBar.lnk = C:\Program Files\YZtoolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159288993281
O17 - HKLM\System\CCS\Services\Tcpip\..\{7584F737-7042-46E2-A879-4F059EC0DD7D}: NameServer = 192.168.0.1,192.168.0.2
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

Thanks.

Mr_JAk3
2006-11-08, 22:01
Hi again :)

We need a little more info...

Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

Then, please do the following...

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

Mumpitz
2006-11-09, 06:30
Blacklight log:

11/09/06 03:47:11 [Info]: BlackLight Engine 1.0.47 initialized
11/09/06 03:47:11 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/09/06 03:47:12 [Note]: 7019 4
11/09/06 03:47:12 [Note]: 7005 0
11/09/06 03:47:21 [Note]: 7006 0
11/09/06 03:47:21 [Note]: 7011 1920
11/09/06 03:47:21 [Note]: 7026 0
11/09/06 03:47:22 [Note]: 7026 0
11/09/06 03:47:47 [Note]: FSRAW library version 1.7.1020
11/09/06 03:55:43 [Note]: 2000 1012
11/09/06 04:22:18 [Note]: 7007 0


HJT startup log:

StartupList report, 09/11/2006, 04:26:26
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IconDesk\IconDesk.exe
C:\Program Files\YZtoolbar\YzToolBar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
ICONDESK.lnk = C:\Program Files\IconDesk\IconDesk.exe
Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
YzDock.lnk = C:\Program Files\YZdock\YzDock.exe
YzToolBar.lnk = C:\Program Files\YZtoolbar\YzToolBar.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Windows Services = "C:\Program Files\svchosts.exe"
_zlu_zlope02 = c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
PrevxOne = "C:\Program Files\Prevx1\PXConsole.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

_zlu_zlope02 = c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
_zlu_zlope02 = c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: NO!)
.pif: HIDDEN! (arrow overlay: NO!)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

Mumpitz
2006-11-09, 06:31
HJT startup pt. 2

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Malicious Scripts Scanner - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB}
(no name) - C:\WINDOWS\system32\Suchspur.dll - {5D945E9A-DC10-4670-83EB-99DAA616628A}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
At1.job
At10.job
At11.job
At12.job
At13.job
At14.job
At2.job
At3.job
At4.job
At5.job
At6.job
At7.job
At8.job
At9.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159288993281

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

a347bus: System32\DRIVERS\a347bus.sys (system)
a347scsi: System32\Drivers\a347scsi.sys (system)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AnyDVD: System32\Drivers\AnyDVD.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Rezident Driver: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver: System32\DRIVERS\FA312nd5.sys (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
MZU_RK: \??\C:\WINDOWS\system32\MZU_DRV.sys (autostart)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Low level access layer for CD devices: System32\Drivers\Pcouffin.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Prevx Agent: "C:\Program Files\Prevx1\PXAgent.exe" -f (autostart)
PREVX Kernel Mode Agent: system32\drivers\pxfsf.sys (system)
PREVX Emulator Driver: system32\drivers\pxemu.sys (manual start)
PREVX Tdi filter: system32\drivers\pxtdi.sys (system)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
PREVX Rootkitscan driver: \??\C:\WINDOWS\system32\drivers\pxrd.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
st3wolf: system32\DRIVERS\st3wolf.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
stwlfbus: system32\DRIVERS\stwlfbus.sys (system)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{5406D85A-87F5-4DFE-96EC-5944449A04CB} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
U.S. Robotics 22Mbps Wireless Lan Adapter: System32\DRIVERS\usrwlan.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AC'97 Audio Controller (WDM): system32\drivers\viaudios.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: C:\Program Files\Windows Media Player\WMPNetwk.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Veo Mobile/Advanced Web Camera: System32\Drivers\usbvm302.sys (manual start)

Mumpitz
2006-11-09, 06:31
HJT startup pt.3:


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,986 bytes
Report generated in 0.281 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mr_JAk3
2006-11-09, 12:15
Hi again, great job :)
Now we'll continue...

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



Files to delete:
C:\WINDOWS\system32\MZU_DRV.sys
c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
C:\Program Files\svchosts.exe

Drivers to unload:
MZU_RK



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


5. Run GMER again:

Start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

6. Run ComboFix again.

- Double click combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When you're ready, post the following logs to here:
- a fresh HijackThis log
- ComboFix log
- contents of C:\avenger.txt
- Gmer log

Mumpitz
2006-11-09, 15:38
ok, here we go (in chronological order):

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bkxigbmv

*******************

Script file located at: \??\C:\cwlhdtqf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\MZU_DRV.sys deleted successfully.


File c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe not found!
Deletion of file c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe failed!

Could not process line:
c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
Status: 0xc0000034



File C:\Program Files\svchosts.exe not found!
Deletion of file C:\Program Files\svchosts.exe failed!

Could not process line:
C:\Program Files\svchosts.exe
Status: 0xc0000034

Driver MZU_RK unloaded successfully.

Completed script processing.

*******************

Finished! Terminate.


GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-09 13:26:24
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT pxfsf.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT pxfsf.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT a347bus.sys ZwCreatePagingFile
SSDT pxfsf.sys ZwCreatePort
SSDT pxfsf.sys ZwCreateProcess
SSDT pxfsf.sys ZwCreateProcessEx
SSDT pxfsf.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT pxfsf.sys ZwDeleteFile
SSDT pxfsf.sys ZwDeleteKey
SSDT pxfsf.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT pxfsf.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT pxfsf.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT pxfsf.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT pxfsf.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT pxfsf.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT pxfsf.sys ZwReplaceKey
SSDT pxfsf.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT pxfsf.sys ZwSetContextThread
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT a347bus.sys ZwSetSystemPowerState
SSDT pxfsf.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT pxfsf.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution + FE 804E4938 24 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 11A 804E4954 32 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 13E 804E4978 24 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 16E 804E49A8 8 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 17A 804E49B4 8 Bytes
.text ...

Mumpitz
2006-11-09, 15:38
GMER pt.2


---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823C4298
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_READ 81F8F360
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_READ 81F8F360
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 820E45B0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8209E890
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 820A0310
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 820A0310
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81EA8140
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 81DE7B48
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 81EA8DE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 81EA8DE8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 81DD2AA0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 81E33140
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_READ 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_WRITE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_EA 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8209E808
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_POWER 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_PNP 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_READ 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8209E808
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 820927E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 820927E8
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 81F336C8
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 81F336C8
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 81F336C8
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 81F336C8
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 81F336C8

---- EOF - GMER 1.0.12 ----

Mumpitz
2006-11-09, 15:39
Owner - 06-11-09 13:28:42.60 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Owner\Desktop\Trojan Removal"

((((((((((((((((((((((((((((((( Files Created from 2006-10-09 to 2006-11-09 ))))))))))))))))))))))))))))))))))


2006-11-08 16:49 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-06 21:11 9,728 --a------ C:\WINDOWS\system32\drivers\pxscinst.dll
2006-11-06 21:11 7,680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2006-11-06 21:11 7,552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2006-11-06 21:11 272,256 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2006-11-06 21:11 18,560 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2006-11-06 21:11 13,568 --a------ C:\WINDOWS\system32\drivers\pxrd.sys
2006-11-06 21:11 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-11-06 21:11 100,864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2006-11-06 20:56 201,728 --a------ C:\WINDOWS\system32\dxvwvcyf.exe
2006-11-06 20:29 201,728 --a------ C:\WINDOWS\system32\dxvwptea.exe
2006-11-06 15:47 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-06 15:44 194,073 --------- C:\WINDOWS\patcher.exe
2006-11-05 14:51 20,480 --a------ C:\WINDOWS\user32.exe
2006-10-18 19:33 2,977,792 --------- C:\WINDOWS\UNNeroVision.exe
2006-10-18 19:32 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2006-10-18 19:32 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2006-10-18 19:32 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2006-10-18 19:32 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2006-10-18 19:32 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2006-10-17 22:44 58 --a------ C:\WINDOWS\system32\sdbackup.reg
2006-10-17 20:13 424,136 --a------ C:\WINDOWS\system32\wunauclt.exe
2006-10-17 10:36 29,384 --a------ C:\WINDOWS\system32\mdimon.dll
2006-10-16 01:15 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2006-10-15 21:23 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-10-15 21:23 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-10-15 21:23 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-09 13:27 -------- d-------- C:\Program Files\Prevx1
2006-11-09 13:27 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-09 04:27 -------- d-------- C:\Program Files\HijackThis
2006-11-07 02:23 -------- d-------- C:\Program Files\ATI Technologies
2006-11-07 02:10 -------- d-------- C:\Program Files\eMule
2006-11-06 21:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Prevx
2006-11-06 20:33 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-06 17:34 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-11-06 14:26 -------- d-------- C:\Program Files\Apple Software Update
2006-11-05 19:45 -------- d-------- C:\Program Files\ICQ
2006-11-05 18:07 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-05 15:40 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-05 15:39 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-05 15:11 -------- d-------- C:\Program Files\Microsoft Games
2006-11-05 11:18 -------- d-------- C:\Program Files\CureROM
2006-11-02 20:57 -------- d-------- C:\Documents and Settings\Owner\Application Data\Skype
2006-10-18 19:34 -------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2006-10-18 19:33 -------- d-------- C:\Program Files\Ahead
2006-10-18 13:21 -------- d-------- C:\Program Files\D-Tools
2006-10-17 20:00 -------- d-------- C:\Program Files\QuickTime
2006-10-17 17:31 -------- d-------- C:\Program Files\Winamp
2006-10-17 17:04 -------- d-------- C:\Program Files\Microsoft Office
2006-10-17 10:34 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-10-17 10:34 -------- d-------- C:\Program Files\Common Files
2006-10-16 23:55 -------- d-------- C:\Documents and Settings\Owner\Application Data\CopyToDvd
2006-10-16 08:57 -------- d-------- C:\Program Files\EA SPORTS
2006-10-16 02:46 -------- d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2006-10-14 21:43 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-13 02:18 195 -rahs---- C:\Program Files\desktop.ini
2006-10-13 02:18 106838 -rahs---- C:\Program Files\desktop36.ico
2006-10-13 01:18 -------- d-------- C:\Program Files\Winamp3
2006-10-13 01:18 -------- d-------- C:\Program Files\iZotope
2006-10-12 16:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\Eidos
2006-10-12 02:11 -------- d-------- C:\Program Files\1964
2006-10-08 22:39 -------- d-------- C:\Program Files\NYKO
2006-10-08 22:35 -------- d-------- C:\Program Files\Project64 1.6
2006-10-08 17:51 -------- d-------- C:\Program Files\DivX
2006-10-07 20:54 390023 -rahs---- C:\Program Files\wunauclt.zip
2006-10-07 20:54 390023 -rahs---- C:\Program Files\wunauclt.tbe
2006-10-05 14:33 34308 --a------ C:\WINDOWS\system32\Chip.dll
2006-10-05 14:33 -------- d-------- C:\Program Files\SlySoft
2006-10-05 14:32 -------- d-------- C:\Program Files\vso
2006-10-05 00:34 -------- d-------- C:\Program Files\Defcon
2006-10-05 00:21 44096 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2006-10-05 00:21 -------- d-------- C:\Program Files\LG Software Innovations
2006-10-04 22:12 -------- d-------- C:\Program Files\XoftSpy
2006-10-01 13:02 -------- d-------- C:\Program Files\Google
2006-10-01 00:43 -------- d-------- C:\Program Files\Yahoo!
2006-09-30 21:24 -------- d-------- C:\Program Files\IconTweaker
2006-09-30 21:24 -------- d-------- C:\Documents and Settings\Owner\Application Data\Launchy
2006-09-30 20:48 -------- d-------- C:\Program Files\Stardock
2006-09-30 20:48 -------- d-------- C:\Program Files\Common Files\Stardock
2006-09-30 18:50 48640 --a------ C:\WINDOWS\system32\Suchspur.dll
2006-09-30 18:33 -------- d-------- C:\Program Files\EA Games
2006-09-30 16:51 -------- d-------- C:\Program Files\iTunes
2006-09-30 16:48 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-09-30 13:35 -------- d-------- C:\Program Files\Adobe
2006-09-30 12:02 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-09-29 22:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2006-09-29 22:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2006-09-29 22:24 -------- d-------- C:\Program Files\YourWare Solutions
2006-09-29 19:40 -------- d-------- C:\Program Files\Common Files\NSV
2006-09-29 01:55 56 -r-hs---- C:\WINDOWS\system32\A6FC85CB16.sys
2006-09-28 22:42 -------- d-------- C:\Documents and Settings\Owner\Application Data\SlySoft
2006-09-28 22:28 -------- d-------- C:\Program Files\Common Files\AVSMedia
2006-09-28 19:24 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-09-28 17:36 40 ---hs---- C:\Documents and Settings\Owner\Application Data\.zreglib
2006-09-28 16:39 -------- d-------- C:\Program Files\VM302
2006-09-28 16:38 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-28 14:29 -------- d-------- C:\Program Files\YZdock
2006-09-28 13:42 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-09-28 12:18 -------- d-------- C:\Program Files\uTorrent
2006-09-28 11:24 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-28 11:24 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-28 11:24 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-28 11:24 23104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-28 02:10 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-09-27 23:33 -------- d-------- C:\Program Files\IconDesk
2006-09-27 23:19 -------- d-------- C:\Program Files\YZtoolbar
2006-09-27 16:39 -------- d-------- C:\Program Files\YZshadow
2006-09-27 16:09 -------- d-------- C:\Program Files\Axialis
2006-09-27 16:09 -------- d-------- C:\Documents and Settings\Owner\Application Data\Axialis
2006-09-27 15:55 218624 --a------ C:\WINDOWS\system32\uxtheme.dll
2006-09-27 14:12 -------- d-------- C:\Program Files\Skype
2006-09-27 14:05 -------- d-------- C:\Documents and Settings\Owner\Application Data\ICQ
2006-09-27 14:01 -------- d-------- C:\Program Files\Java
2006-09-27 14:01 -------- d-------- C:\Program Files\Common Files\Java
2006-09-27 11:59 -------- d-------- C:\Program Files\Outlook Express
2006-09-27 11:59 -------- d-------- C:\Program Files\Common Files\System
2006-09-27 11:38 -------- d-------- C:\Program Files\Messenger
2006-09-27 11:38 -------- d-------- C:\Program Files\Internet Explorer
2006-09-27 11:21 -------- d-------- C:\Program Files\Windows Media Player
2006-09-26 22:55 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-09-26 20:14 -------- d-------- C:\Program Files\Movie Maker
2006-09-26 20:11 -------- d-------- C:\Program Files\Windows NT
2006-09-26 20:11 -------- d-------- C:\Program Files\NetMeeting
2006-09-26 17:15 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-09-26 14:40 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-26 14:26 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-09-24 17:15 20096 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2006-09-16 16:01 -------- d-------- C:\Program Files\Activision
2006-09-15 18:57 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-14 23:34 -------- d-------- C:\Program Files\Alcohol Soft
2006-09-14 23:29 62 ---hs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2006-09-14 23:29 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-14 23:29 -------- d-------- C:\Program Files\Common Files\ODBC
2006-09-14 23:20 -------- d-------- C:\Program Files\WinRAR
2006-09-14 23:16 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-09-14 23:15 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-09-14 23:15 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-09-14 23:15 -------- d-------- C:\Program Files\Grisoft
2006-09-14 23:03 -------- d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-09-14 22:58 -------- d-------- C:\Documents and Settings\Owner\Application Data\InterVideo
2006-09-14 22:56 -------- d-------- C:\Program Files\InterVideo
2006-09-14 22:44 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-14 22:44 -------- d-------- C:\Documents and Settings\Owner\Application Data\Identities
2006-09-14 22:40 0 -rahs---- C:\MSDOS.SYS
2006-09-14 22:40 0 -rahs---- C:\IO.SYS
2006-09-14 22:40 0 --a------ C:\CONFIG.SYS
2006-09-14 22:40 0 --a------ C:\AUTOEXEC.BAT
2006-09-14 22:40 -------- d-------- C:\Program Files\xerox
2006-09-14 22:40 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-14 22:38 -------- d-------- C:\Program Files\Common Files\Services
2006-09-14 22:38 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-09-14 22:36 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-13 05:01 1084416 --------- C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-08-27 15:38 1015973 -rahs---- C:\Program Files\serial.tde
2006-08-25 15:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-25 03:47 129784 --------- C:\WINDOWS\system32\pxafs.dll
2006-08-25 03:47 115880 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-08-21 12:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 09:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 11:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Services"="\"C:\\Program Files\\svchosts.exe\""
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,03,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4d,00,00,00,00,00,00,00,2b,05,00,00,03,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4d,00,00,00,00,00,00,00,2b,05,00,00,03,04,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"_zlu_zlope02"="c:\\windows\\system32\\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

Completion time: 06-11-09 13:30:28.54
C:\ComboFix.txt ... 06-11-09 13:30
C:\ComboFix2.txt ... 06-11-07 19:46
C:\ComboFix3.txt ... 06-11-07 19:07

Mumpitz
2006-11-09, 15:41
And finally...

Logfile of HijackThis v1.99.1
Scan saved at 13:33:11, on 09/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IconDesk\IconDesk.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\YZdock\YzDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\YZtoolbar\YzToolBar.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Suchspur - {5D945E9A-DC10-4670-83EB-99DAA616628A} - C:\WINDOWS\system32\Suchspur.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
O4 - HKLM\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\IconDesk\IconDesk.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Startup: YzDock.lnk = C:\Program Files\YZdock\YzDock.exe
O4 - Startup: YzToolBar.lnk = C:\Program Files\YZtoolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159288993281
O17 - HKLM\System\CCS\Services\Tcpip\..\{7584F737-7042-46E2-A879-4F059EC0DD7D}: NameServer = 192.168.0.1,192.168.0.2
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

I'm having less trouble with virus alerts and slow speed, are we getting this mess cleaned up? Thanks for the time your spending on this mate!

Mr_JAk3
2006-11-09, 21:56
Hi again, it looks better but not clean yet... :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

Then, make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Disable PrevX realtime protection (may interfere with the cleaning)
Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
On the Management Console click the Protection Level drop-down menu. You will see three levels:
Maximum
Off
User Defined
Disable all protection by setting the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
Click the X on the upper right hand corner to exit the Management console.
==================

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"_zlu_zlope02"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Services"=-
"_zlu_zlope02"=-
"UserFaultCheck"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"_zlu_zlope02"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"_zlu_zlope02"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"_zlu_zlope02"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"=-



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Suchspur - {5D945E9A-DC10-4670-83EB-99DAA616628A} - C:\WINDOWS\system32\Suchspur.dll
O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
O4 - HKLM\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O4 - HKCU\..\Run: [_zlu_zlope02] c:\windows\system32\_zsk_zlu_zlope02ryhdahqbke_[_n]l.exe
O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


Please run Killbox.

Select "Delete on Reboot".
Select "All Files".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\dxvwvcyf.exe
C:\WINDOWS\system32\dxvwptea.exe
C:\WINDOWS\patcher.exe
C:\WINDOWS\user32.exe
C:\WINDOWS\system32\wunauclt.exe
C:\WINDOWS\iun6002ev.exe
C:\Program Files\desktop36.ico
C:\Program Files\wunauclt.zip
C:\Program Files\wunauclt.tbe
C:\WINDOWS\system32\Suchspur.dll
C:\WINDOWS\system32\A6FC85CB16.sys
C:\Program Files\serial.tde

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart to the safe mode again.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: TheMatrixHasYou
Search for this and delete if found: piglett.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Go to My Computer and navigate to the following file:
C:\Program Files\desktop.ini
Rightclick it with your mouse, choose Open. A text document will open.
Please copy the contents to here.

================

When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log
- contents of C:\Program Files\desktop.ini

Mumpitz
2006-11-10, 12:55
That took a while :) , but here we go:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:38:17 10/11/2006

+ Scan result:



C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0043685.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031824.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031825.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036228.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-448539723-1844823847-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036218.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036205.dll -> Adware.Softomate : Cleaned with backup (quarantined).
HKU\S-1-5-21-448539723-1844823847-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20061109-235755-889.dll -> Adware.Stud : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP186\A0045758.dll -> Adware.Stud : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035206.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035207.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035226.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036406.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036216.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036217.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036225.exe -> Downloader.Adload.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035174.exe -> Downloader.Adload.nad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP182\A0039479.exe -> Downloader.Adload.nad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036395.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036397.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036220.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\My Documents\Installers\Adobe Photoshop Cs2 Activation Crack.rar/Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\My Documents\Installers\Adobe Photoshop Cs2 Activation Crack\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Program Files\Adobe\Adobe Photoshop CS2\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035205.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).


::Report end

Today's HJT log:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:38:17 10/11/2006

+ Scan result:



C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0043685.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031824.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031825.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036228.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-448539723-1844823847-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036218.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036205.dll -> Adware.Softomate : Cleaned with backup (quarantined).
HKU\S-1-5-21-448539723-1844823847-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20061109-235755-889.dll -> Adware.Stud : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP186\A0045758.dll -> Adware.Stud : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035206.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035207.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035226.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036406.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036216.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036217.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036225.exe -> Downloader.Adload.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035174.exe -> Downloader.Adload.nad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP182\A0039479.exe -> Downloader.Adload.nad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036395.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036397.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036220.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\My Documents\Installers\Adobe Photoshop Cs2 Activation Crack.rar/Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\My Documents\Installers\Adobe Photoshop Cs2 Activation Crack\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Program Files\Adobe\Adobe Photoshop CS2\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0035205.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).


::Report end





And the contents of desktop.ini:


[.ShellClassInfo]
IconFile=desktop36.ico
IconIndex=0
SourceIcon=c:\documents and settings\owner\my documents\axialis librarian\icons\capitaliconsuite\folders\photoshop.ico,0
ConfirmFileOp=0

The AVG scan cleaned up a lot of them. Couldn't find all the reg entries in HJT you mentioned, but guess that's a good thing! Many thanks.

Mumpitz
2006-11-10, 12:59
:oops: posted the AVG log twice by mistake! Here's the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:49:14, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IconDesk\IconDesk.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\YZdock\YzDock.exe
C:\Program Files\YZtoolbar\YzToolBar.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\IconDesk\IconDesk.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Startup: YzDock.lnk = C:\Program Files\YZdock\YzDock.exe
O4 - Startup: YzToolBar.lnk = C:\Program Files\YZtoolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159288993281
O17 - HKLM\System\CCS\Services\Tcpip\..\{7584F737-7042-46E2-A879-4F059EC0DD7D}: NameServer = 192.168.0.1,192.168.0.2
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

Mumpitz
2006-11-10, 20:19
FYI:

I'm still receiving Virus alerts, both AVG and Prevx are finding crap in C:\System Volume Information on a regular basis. Is this folder meant to be there? It's hidden and inaccessible.

Mr_JAk3
2006-11-10, 21:19
Ok it is beginning to look good :)

Don't worry about the system restore. We'll clean it when we have got other things running. Just DON'T do a system restore unless you have no other choice ;)


C:\Documents and Settings\Owner\My Documents\Installers\Adobe Photoshop Cs2 Activation Crack.rar/Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\My Documents\Installers\Adobe Photoshop Cs2 Activation Crack\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Program Files\Adobe\Adobe Photoshop CS2\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).

It is illegal to use pirated software (cracks, keygens etc) and as you can see, they'll get you infected....

Ok we'll run a one more scanner...

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Mumpitz
2006-11-10, 23:49
This isn't good: 7 viruses in 45 infected files! What next?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 10, 2006 9:47:27 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/11/2006
Kaspersky Anti-Virus database records: 240450
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 68439
Number of viruses found: 7
Number of infected objects: 45 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:41:28

Infected Object Name / Virus Name / Last Action
C:\!KillBox\user32.exe Infected: Trojan-Downloader.Win32.Harnig.cu skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\log\plugin150_06.trace Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\Trojan Removal\!KillBox\user32.exe Infected: Trojan-Downloader.Win32.Harnig.cu skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\fu2vfbpq.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012006111020061111\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\2468 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Flight Simulator X crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Flight Simulator X crack.exe SetupFactory: infected - 1 skipped
C:\Documents and Settings\Owner\My Documents\Downloads\NOCD Flight Simulator X crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\Documents and Settings\Owner\My Documents\Downloads\NOCD Flight Simulator X crack.exe SetupFactory: infected - 1 skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Win.All Flight Simulator X crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Win.All Flight Simulator X crack.exe SetupFactory: infected - 1 skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Sinowal.bk skipped
C:\Program Files\eMule\Incoming\NOCD Flight Simulator X crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\Program Files\eMule\Incoming\NOCD Flight Simulator X crack.exe SetupFactory: infected - 1 skipped
C:\Program Files\Prevx1\lclbrk.cache Object is locked skipped
C:\Program Files\Prevx1\log\px-log.txt Object is locked skipped
C:\Program Files\Prevx1\paws.cache Object is locked skipped
C:\Program Files\Prevx1\prevx.cache Object is locked skipped
C:\Program Files\Prevx1\proc.cat Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031765.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031765.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031766.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031766.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031767.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031767.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031768.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031768.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031769.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031769.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031772.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031772.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031773.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031773.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031774.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031774.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031775.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031775.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031776.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031776.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP174\A0031776.exe NSPack: infected - 1 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036210.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036210.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036210.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036210.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036393.exe Object is locked skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP180\A0036396.exe Infected: Trojan-Downloader.Win32.Harnig.cu skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0041786.exe Object is locked skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0043690.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0043690.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0043690.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0043690.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0043690.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP183\A0043690.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP186\A0045763.exe Infected: Trojan-Downloader.Win32.Harnig.cu skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP186\A0045805.dll Infected: not-a-virus:AdWare.Win32.Stud.c skipped
C:\System Volume Information\_restore{7697373E-6FA1-44B2-9C93-17ED407A85BB}\RP187\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9659DA30-08F4-48CD-9A74-B38E1DF1420A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Mr_JAk3
2006-11-11, 08:59
Hi again. Before we continue I would like you to do something for me :)

Please go to this forum (http://www.thespykiller.co.uk/forum/index.php?board=1.0)

There's no need to register. Just start a new topic, titled "File for TonyKlein".

In the topic, simply refer to this --- forum thread, and use the Attachment box to upload the file.

In fact there's not even a need to actually browse to the file: just copy the full path to the file, in this case:

C:\!Killbox\Suchspur.dll

... and paste it in in the attachment box, then press the 'Post' button. The file will be found and uploaded.

NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them

Please let me know when you've done this and well clean the remainings, thanks :bigthumb:

Mumpitz
2006-11-11, 15:07
Ok, I've uploaded that file. Referring to your last post: You mentioned a system restore? I didn't, that must have been someone else's thread you were thinking of at the time :)
Do you need another scan??

Mr_JAk3
2006-11-11, 15:25
Hi again :)


FYI:

I'm still receiving Virus alerts, both AVG and Prevx are finding crap in C:\System Volume Information on a regular basis. Is this folder meant to be there? It's hidden and inaccessible.

System restore files are stored to C:\System Volume Information folder. But do NOT do a system restore.
We'll sweep it soon :)

May I please ask you to upload the file again, TonyKlein said that it was 0 bytes in size so he didn't got the whole file. Seems that something is blocking the upload so please try this:

Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\!Killbox\Suchspur.dll

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please upload the cab file to the same thread again --> http://www.thespykiller.co.uk/forum/index.php?topic=3005.0

Thank you :bigthumb:

Mumpitz
2006-11-11, 16:22
Ah, sorry my mistake. I've uploaded the file again.

Mumpitz
2006-11-11, 17:48
Right, that was a waste of time. The file couldn't be sent (for unknown reasons). What about the infections the Kaspersky scan came up with? Sorry if I'm being impatient, I have to put everything else on hold to get this sorted out.

Mr_JAk3
2006-11-11, 19:59
Thanks for you cooperation :)

Now lets get you cleaned...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\Documents and Settings\Owner\My Documents\Downloads\Flight Simulator X crack.exe
C:\Documents and Settings\Owner\My Documents\Downloads\NOCD Flight Simulator X crack.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Win.All Flight Simulator X crack.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Program Files\eMule\Incoming\NOCD Flight Simulator X crack.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Reboot in Normal Mode.

================

When you're ready, post the following logs to here:
- a fresh HijackThis log

Mumpitz
2006-11-12, 02:44
Logfile of HijackThis v1.99.1
Scan saved at 00:40:24, on 12/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\IconDesk\IconDesk.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\YZdock\YzDock.exe
C:\Program Files\YZtoolbar\YzToolBar.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application

Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\IconDesk\IconDesk.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Startup: YzDock.lnk = C:\Program Files\YZdock\YzDock.exe
O4 - Startup: YzToolBar.lnk = C:\Program Files\YZtoolbar\YzToolBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file

missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159288993281
O17 - HKLM\System\CCS\Services\Tcpip\..\{7584F737-7042-46E2-A879-4F059EC0DD7D}: NameServer = 192.168.0.1,192.168.0.2
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

Mumpitz
2006-11-12, 02:46
:bigthumb: Looks better to me! How are we doing?

Mr_JAk3
2006-11-12, 16:02
Hi again, it is looking clean now :)
The computer is running fine ?

You don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)

You can enable PrevX realtime protection

Remove the following backup folders too:
C:\Documents and Settings\Owner\Desktop\Trojan Removal\!KillBox
C:\!KillBox

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools that we used.

Then you should update your Java to the latest version (5.0 update 9) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Then we'll get the latest version of Java -> LINK (https://java.sun.com/javase/downloads/index.jsp)
Scroll down to Java Runtime Environment (JRE) 5.0 Update 9
Download & install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

Mumpitz
2006-11-12, 22:25
Nice one! yeah, my laptop's seems to be running fine now. I've installed Outpost because I can't get Windows firewall reactivated.

On a separate note: As all the trojan trouble started I had downloaded, but not installed updates for Windows (the newest IE, I think). Anyway, i can't install them because the system crashes every time I run the installer. But I'm still receiving the popup every time I start stating thatupdates are available for installation. How do I delete the downloaded update files and start again? Running update again doesn't solve the prob.

Many thanks for all your help on getting this crap off my laptop! Cheers!

Mumpitz

Mr_JAk3
2006-11-13, 08:39
Hi again, that's great news :)

Have you tried to download & install the updates via Windows Update (http://windowsupdate.microsoft.com/) ?

Mr_JAk3
2006-11-18, 11:01
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: