PDA

View Full Version : YIKES, Please help!



nacra
2006-11-17, 00:55
Just got a laptop from work. It's running Win 2000 pro. It was locking up, then connection speed went down to very slow. I suspected spyware/viruses. I installed spybot 1.4 and AVG. Ran them both and got some bad stuff. Spybot came up with Jupilites, smitfraud-C, Torpig , and system doctor. Subsequent scans reveal that Jupilites, Smitfraud-C and Torpig are still on the system. It also stripped the cyber angel off, but this is not a big deal according to cyber angel. They gave me instructions to reinstall, which I haven't done yet.

Now the real bad news.:sad: Upon boot up , i get a device driver entry point box that says"

C:\WINNT\\System32\MZU_DRV.system device driver could not locate the entry point ZWQuery Information Thread in driver ntoskrnll.exe?????H????????? (maybe more or less question marks)

Even worse is when I try a dial up connection, or use the vpn adapter, upon user authentication, the system reboots. I tried safe mode and get a blue screen that locks up :

stop:0x0000001E (0xC0000005,0xBFDB3952,0xC00000000,0x0000003C K(?)MODE_EXCEPTION_NOT_HANDLED Address BFD1000,Datestamp4553cfbd-system 32:lzx
and get a message saying to make sure I have enough memory (not a problem) check for bios updates and hardware updates. I don't know how to do a bios update.

I made the emergency disks after installing AVG and have them. I am reluctant to use this as this laptop has proprietary software on it and I don't want to lose that.

Thanks for your help

nacra
2006-11-17, 03:57
does anyone think that this is a windows/driver type problem or one that can be fixed here?

Mr_JAk3
2006-11-18, 10:52
Hi nacra and welcome to Safer Networking Forums :)

That is an infection :(

Please post a HijackThis log to here and I'll have a look :bigthumb:

Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

nacra
2006-11-18, 21:33
:eek: I downloaded hijack to a floppy on another machine and tried to install . After several attempts I get the same message. Hijack this caused an error in windows , restart the program. an error log is being created:eek:

Mr_JAk3
2006-11-19, 09:02
Hi again :)

Ok, please try to rename HijackThis.exe to scanner.exe and try to run it again.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

nacra
2006-11-21, 02:37
mr.jak3,

Sorry it has taken me so long. i have the hijackthis logfile but was unable to put gmer on. This laptop does not have winzipso I can't open it. very frustrating.


Logfile of HijackThis v1.99.1
Scan saved at 06:15:04 PM, on 11/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\msasvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\wlmsngr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\dxvwgagn.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {81D36CB0-55C2-4D91-93AB-25B5AE8F095F} - C:\WINNT\system32\xxwxv.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\cxmwyqru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Explorer 2238] C:\WINNT\system32\dxvwgagn.exe
O4 - HKLM\..\RunServices: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: xxwxv - C:\WINNT\system32\xxwxv.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINNT\system32\dxvwgagn.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINNT\system32\msasvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe (file missing)
O23 - Service: wlmsngr - Unknown owner - C:\WINNT\wlmsngr.exe

nacra
2006-11-21, 03:14
Can i get gmer unzipped? i tried to burn a cd with winzip and was not allowed:oops:

Mr_JAk3
2006-11-21, 09:48
Hi again :)

One or more of the identified infections is a backdoor trojan. You also got at least two infections with rootkit capabilities....

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor/rootkit functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of infection, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

If you want to continue, you may download the unzipped Gmer.exe from my homepage -> LINK (http://koti.mbnet.fi/jpk88/gmer.exe)

:bigthumb:

tashi
2006-11-27, 20:45
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

tashi
2006-12-01, 04:48
Re-opened. :)

nacra
2006-12-01, 04:59
mrjak3
here is the gmer log
GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-30 20:24:42
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT IPVNMon.sys ZwDeviceIoControlFile <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.12 ----

.text tcpip.sys!tcpxsum + 5D6 B9B7A805 6 Bytes CALL B9C1911D
.text tcpip.sys!IPTransmit + 4195 B9B7EA68 6 Bytes CALL B9C1911D
.text tcpip.sys!IPTransmit + 6168 B9B80A3B 6 Bytes CALL B9C1911D
.text wanarp.sys ED2ACDFE 7 Bytes CALL B9C19127
.text NTDLL.DLL!NtCreateProcess 77F83B9E 2 Bytes JMP 72033BB5
.text NTDLL.DLL!NtCreateProcess + 3 77F83BA1 2 Bytes
.text NTDLL.DLL!NtClose 77F84D93 5 Bytes JMP 72033A2A
.text NTDLL.DLL!NtCreateSection 77F935BF 5 Bytes JMP 72033A48

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptImportKey 7C2EA2C9 5 Bytes JMP 10001978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 10001A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptGenKey 7C2F5C93 5 Bytes JMP 100018EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 1000191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptGetUserKey 7C2F6249 5 Bytes JMP 1000194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptEncrypt 7C2F64CD 5 Bytes JMP 100019AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] ADVAPI32.dll!CryptDecrypt 7C2F65CB 5 Bytes JMP 10001A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 10001783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 1000185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!WSASend 75031525 5 Bytes JMP 100016AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!send 75031BCC 6 Bytes JMP 10001580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!recv 7503A101 6 Bytes JMP 10001616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[472] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 100014CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ntdll.dll!NtCreateProcess + 3 77F83BA1 2 Bytes
.text D:\gmer.exe[612] ADVAPI32.dll!CryptImportKey 7C2EA2C9 5 Bytes JMP 10001978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 10001A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptGenKey 7C2F5C93 5 Bytes JMP 100018EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 1000191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptGetUserKey 7C2F6249 5 Bytes JMP 1000194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptEncrypt 7C2F64CD 5 Bytes JMP 100019AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] ADVAPI32.dll!CryptDecrypt 7C2F65CB 5 Bytes JMP 10001A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 10001783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 1000185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!WSASend 75031525 5 Bytes JMP 100016AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!send 75031BCC 6 Bytes JMP 10001580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!recv 7503A101 6 Bytes JMP 10001616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text D:\gmer.exe[612] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 100014CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptImportKey 7C2EA2C9 5 Bytes JMP 10001978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 10001A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptGenKey 7C2F5C93 5 Bytes JMP 100018EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 1000191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptGetUserKey 7C2F6249 5 Bytes JMP 1000194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptEncrypt 7C2F64CD 5 Bytes JMP 100019AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] ADVAPI32.dll!CryptDecrypt 7C2F65CB 5 Bytes JMP 10001A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 10001783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 1000185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!WSASend 75031525 5 Bytes JMP 100016AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!send 75031BCC 6 Bytes JMP 10001580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!recv 7503A101 6 Bytes JMP 10001616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1096] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 100014CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptImportKey 7C2EA2C9 5 Bytes JMP 01161978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 01161A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptGenKey 7C2F5C93 5 Bytes JMP 011618EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 0116191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptGetUserKey 7C2F6249 5 Bytes JMP 0116194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptEncrypt 7C2F64CD 5 Bytes JMP 011619AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] ADVAPI32.DLL!CryptDecrypt 7C2F65CB 5 Bytes JMP 01161A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 01161783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 0116185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!WSASend 75031525 5 Bytes JMP 011616AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!send 75031BCC 6 Bytes JMP 01161580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!recv 7503A101 6 Bytes JMP 01161616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\atiptaxx.exe[1108] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 011614CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\Explorer.EXE[1252] WS2_32.dll!send 75031BCC 5 Bytes JMP 11C08220 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
.text C:\WINNT\Explorer.EXE[1252] WS2_32.dll!connect 7503C1B9 5 Bytes JMP 11C08080 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll

nacra
2006-12-01, 05:03
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 01001A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptGenKey 7C2F5C93 5 Bytes JMP 010018EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 0100191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptGetUserKey 7C2F6249 5 Bytes JMP 0100194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptEncrypt 7C2F64CD 5 Bytes JMP 010019AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] ADVAPI32.dll!CryptDecrypt 7C2F65CB 5 Bytes JMP 01001A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!WSARecv 7503138E 5 Bytes JMP 01001783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!closesocket 7503145E 14 Bytes JMP 0100185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!WSASend 75031525 5 Bytes JMP 010016AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!send 75031BCC 6 Bytes JMP 01001580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!recv 7503A101 6 Bytes JMP 01001616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\WINNT\system32\PRPCUI.exe[1396] WS2_32.dll!connect 7503C1B9 6 Bytes JMP 010014CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!WSARecv 7503138E 5 Bytes JMP 016E1783 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!closesocket 7503145E 14 Bytes JMP 016E185B C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!WSASend 75031525 5 Bytes JMP 016E16AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!send 75031BCC 6 Bytes JMP 016E1580 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!recv 7503A101 6 Bytes JMP 016E1616 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] WS2_32.DLL!connect 7503C1B9 6 Bytes JMP 016E14CE C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptImportKey 7C2EA2C9 5 Bytes JMP 016E1978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptDestroyKey 7C2EA6C0 5 Bytes JMP 016E1A9F C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptGenKey 7C2F5C93 5 Bytes JMP 016E18EF C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptDeriveKey 7C2F5ECC 5 Bytes JMP 016E191D C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptGetUserKey 7C2F6249 5 Bytes JMP 016E194E C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptEncrypt 7C2F64CD 5 Bytes JMP 016E19AC C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe[1404] ADVAPI32.DLL!CryptDecrypt 7C2F65CB 5 Bytes JMP 016E1A18 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
.text C:\Program Files\HP\HP Software Update\HPWuSchd.exe[1412] ADVAPI32.dll!CryptImportKey 7C2EA2C9 5 Bytes JMP 10001978 C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

nacra
2006-12-01, 05:20
---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [ED57085A] avgtdi.sys

---- Services - GMER 1.0.12 ----

Service C:\WINNT\system32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINNT\system32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x41 0x04 0x47 0x8E ...

nacra
2006-12-01, 05:21
---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINNT\system32:lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----



Thank you

Mr_JAk3
2006-12-01, 08:51
Hi again :)

Ok let's begin the cleaning. You're really infected so we're going to need a few steps...

Some of the tools were zip files so I've temporarily uploaded those to my homepage.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles.

Download SDFix (http://koti.mbnet.fi/jpk88/SDFix.exe) and save it to your desktop. Run SDFix.exe and a notepad window will tell that it has been installed

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, go to C:\SDFix folder
Double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Download RootkitRevealer (http://koti.mbnet.fi/jpk88/RootkitRevealer.exe)
Create a new folder named RKR to your C-drive, C:\
Move RootkitRevealer.exe to C:\RKR folder
Open C:\RKR folder and doubleclick RootkitRevealer.exe file
Click Scan button and wait for the scanning to end
NOTE! Don't use your computer when the scan is in progress
When the scan has finished, click on File
Then click on the Save button
Save the RootkitRevealer log to C:\RKR folder

When you're ready, please post the following logs to here:
- a fresh HijackThis log
- Rustock.b logs
- SDfix report (SDFix folder, Report.txt)
- RootkitRevealer log

nacra
2006-12-03, 05:08
Logfile of HijackThis v1.99.1
Scan saved at 08:43:24 PM, on 12/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\dxvwgagn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {52023652-0F9C-4C6B-BF7E-EC930C3CE730} - C:\WINNT\system32\xxwxv.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\cxmwyqru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Explorer 2238] C:\WINNT\system32\dxvwgagn.exe
O4 - HKLM\..\RunServices: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: xxwxv - C:\WINNT\system32\xxwxv.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINNT\system32\dxvwgagn.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

nacra
2006-12-03, 05:09
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kpwheqst

*******************

Script file located at: \??\C:\Documents and Settings\swaqscro.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix -- By ejvindh *************************
Sat 12/02/2006 19:51:19.99


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69434
Total size: 69434 bytes.
Attempting to remove ADS...
system32: deleted 69434 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************

nacra
2006-12-03, 05:14
SDFix: Version 1.44
********************

Sat 12/02/2006 - 20:23:07.09

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Stage One - Safe Mode
Checking Services...

Service Name:

MsaSvc
MZU_RK
WINLOGON
wlmsngr

File Path:

C:\WINNT\system32\msasvc.exe
\??\C:\WINNT\system32\MZU_DRV.sys
"C:\WINNT\system\winlogon.exe"
"C:\WINNT\wlmsngr.exe"

MsaSvc Service Deleted...
MZU_RK Service Deleted...
WINLOGON Service Deleted...
wlmsngr Service Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\COCQ.EXE
C:\DGFXGGS.EXE
C:\ILICAAML.EXE
C:\QQQTLGAD.EXE
C:\QWUK.EXE
C:\SILEOLQ.EXE
C:\WINNT\system32\mini8tone.ini
C:\WINNT\system32\i
C:\WINNT\system32\msasvc.exe
C:\WINNT\system32\MZU_DRV.sys
C:\WINNT\wlmsngr.exe

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINNT\MsCae32.dll
C:\WINNT\system32\byxwxwv.dll
C:\WINNT\system32\xxwxv.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ffvvrwch.exe
C:\WINNT\IdleProc.exe
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2947.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2.tmp
C:\Program Files\InterActual\InterActual Player\itiE.tmp
C:\WINNT\Temp\$_2341233.TMP
C:\WINNT\Temp\$_2341234.TMP
C:\WINNT\Temp\$_2341235.TMP

FINISHED!



HKLM\SECURITY\Policy\Secrets\SAC* 11/20/2001 10:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/20/2001 10:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{2BEB8402-C3AF-11D3-9571-0008C7C94F96}* 08/11/2005 1:36 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{E9D8BB13-6B95-11d3-953F-0008C7C94F96}* 08/11/2005 1:36 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\XATM:744cd9f6-0251-4f8e-b32d-71df94d65ac5* 01/09/2002 3:56 PM 0 bytes Key name contains embedded nulls (*)

nacra
2006-12-03, 05:15
:bigthumb: mrjak3.

here are all of the logs. i hope that i did everything correctly. Again thanks for your help in this.

nacra

Mr_JAk3
2006-12-03, 10:53
Ok good work, looks better but we still got cleaning to do :)

You don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

Run also a new scan with GMER and post the fresh log to here.

nacra
2006-12-04, 04:38
C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\xxwxv.dll
C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.bak1

Beginning removal...

Attempting to delete C:\WINNT\system32\xxwxv.dll
C:\WINNT\system32\xxwxv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.ini Has been deleted!

Attempting to delete C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\vxwxx.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 08:07:42 PM 12/03/2006

Listing files found while scanning....

vundo had an error code pop up.... I rebooted and ran it again and it found nothing

nacra
2006-12-04, 04:55
Logfile of HijackThis v1.99.1
Scan saved at 08:24:08 PM, on 12/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system\winlogon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\dxvwgagn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINNT\system32\ZoneLabs\UpdClient.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B2709554-FDAC-48BC-A321-11E5D42AD903} - C:\WINNT\system32\xxwxv.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\cxmwyqru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Explorer 2238] C:\WINNT\system32\dxvwgagn.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A9335EF-D408-4405-9E81-7CF61F390B4A}: NameServer = 205.171.3.65 205.171.2.65
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINNT\system32\dxvwgagn.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe

I tried to download Blacklight but can not find the page. I even went to f-secure.com and that page won't come up. I installed zone alarm, as you can probably see now, I am now getting a couple of things trying to connect to the internet : wkufind.exe and dxvwgagn.exe also 2 suspicious files in the windows folder if1 and if2.

I really need two get this machine up and running. the internet connection works fine now and I was able to download the firewall directly instead of burning a disk on someones computer. I will try and stay up tonight and watch for your post so I can log thesecure blacklight to you.

Thanks again for the help!:D:

Mr_JAk3
2006-12-04, 16:54
Hi again, we'll continue :)

Sorry for the long delay...I see that you have ZoneAlram running. Those two files that you mentioned, don't allow those to acces the internet, they're BAD. Don't allow any suspicious file to connect to the internet. Please try this direct link for Blacklight -> Here (https://europe.f-secure.com/exclude/blacklight/blbeta.exe)

Let's get you cleaned :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

==================

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.


Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

_zsk_zlu_zlope05ovpiecwleutelf_k.exe
dxvwgagn.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {B2709554-FDAC-48BC-A321-11E5D42AD903} - C:\WINNT\system32\xxwxv.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\cxmwyqru.dll
O4 - HKLM\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINNT\system32\dxvwgagn.exe
O4 - HKLM\..\RunServices: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKCU\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINNT\system32\dxvwgagn.exe

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\cxmwyqru.dll
c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
C:\WINNT\system32\dxvwgagn.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- Run a scan with GMER, post the log
- Run a scan with Blackligt, post the log
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

nacra
2006-12-04, 18:43
12/04/06 10:06:23 [Info]: BlackLight Engine 1.0.47 initialized
12/04/06 10:06:23 [Info]: OS: 5.0 build 2195 (Service Pack 4)
12/04/06 10:06:25 [Note]: 7019 4
12/04/06 10:06:25 [Note]: 7005 0
12/04/06 10:06:32 [Note]: 7006 0
12/04/06 10:06:32 [Note]: 7011 1292
12/04/06 10:06:33 [Note]: 7026 0
12/04/06 10:06:33 [Note]: 7026 0
12/04/06 10:06:48 [Note]: FSRAW library version 1.7.1020
12/04/06 10:06:48 [Note]: 2000 1012
12/04/06 10:13:19 [Note]: 2000 1012
12/04/06 10:13:19 [Note]: 2000 1012
12/04/06 10:18:20 [Note]: 7007 0


Do you want a gmer log now?

nacra
2006-12-04, 21:29
Mrjak3, I assumed that you wanted avg to run in safe mode. It is running now, but I can only guess that all of the boxes were checked as they are off of the screen in safe mode.

nacra
2006-12-04, 22:00
VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 01:17:23 PM 12/04/2006

+ Scan result:



C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/wlmsngr.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINDOWS\if1.exe -> Downloader.Harnig.dk : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/MZU_DRV.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.bk : Cleaned with backup (quarantined).


::Report end
Logfile of HijackThis v1.99.1
Scan saved at 01:43:58 PM, on 12/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A9335EF-D408-4405-9E81-7CF61F390B4A}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

nacra
2006-12-04, 22:14
GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-12-04 13:57:34
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT IPVNMon.sys ZwDeviceIoControlFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:\WINNT\Explorer.EXE[940] WS2_32.DLL!send 75031BCC 5 Bytes JMP 11C08220 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
.text C:\WINNT\Explorer.EXE[940] WS2_32.DLL!connect 7503C1B9 5 Bytes JMP 11C08080 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1780] WS2_32.DLL!send 75031BCC 5 Bytes JMP 11C08220 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1780] WS2_32.DLL!connect 7503C1B9 5 Bytes JMP 11C08080 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----

nacra
2006-12-04, 22:30
12/04/06 13:59:32 [Info]: BlackLight Engine 1.0.47 initialized
12/04/06 13:59:32 [Info]: OS: 5.0 build 2195 (Service Pack 4)
12/04/06 13:59:32 [Note]: 7019 4
12/04/06 13:59:32 [Note]: 7005 0
12/04/06 13:59:41 [Note]: 7006 0
12/04/06 13:59:41 [Note]: 7011 940
12/04/06 13:59:42 [Note]: 7026 0
12/04/06 13:59:43 [Note]: 7026 0
12/04/06 13:59:55 [Note]: FSRAW library version 1.7.1020
12/04/06 13:59:55 [Note]: 2000 1012
12/04/06 14:06:30 [Note]: 2000 1012
12/04/06 14:06:30 [Note]: 2000 1012
12/04/06 14:09:23 [Note]: 7007 0



SDFix: Version 1.44
********************

Mon 12/04/2006 - 12:01:19.41

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Stage One - Safe Mode
Checking Services...

Service Name:

MZU_RK
WINLOGON

File Path:

\??\C:\WINNT\system32\MZU_DRV.sys
"C:\WINNT\system\winlogon.exe"

MZU_RK Service Deleted...
WINLOGON Service Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINNT\system32\i

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------

Backups Folder: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINNT\MsCae32.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ffvvrwch.exe
C:\WINNT\IdleProc.exe
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2947.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2.tmp
C:\Program Files\InterActual\InterActual Player\itiE.tmp
C:\WINNT\Temp\$_2341235.TMP

FINISHED!

I will run avg anti spy again in normal mode to see if it finds anything and post that report.

Thanks again

nacra
2006-12-04, 23:33
I tried to run antispyware after posting all of the logs. I was suspicious that all of the boxes were ticked in safe mode as they were off of the edge of the screen. the first time a ran it in regular mode, I got a blue screen:

Stop:0x00000C2(0x00000007,0x00000B8A,0x842DC680,0x842DC688
BAD_POOL_CALLER
Beginning dump of physical memory, physical memory dump complete

2nd scan was better no blue screen log is


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 03:01:26 PM 12/04/2006

+ Scan result:



C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/wlmsngr.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/MZU_DRV.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).


::Report end


Thanks for your help with this mess

Nacra

Mr_JAk3
2006-12-05, 07:14
OK we're getting progress :)

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Go to virustotal.com (http://www.virustotal.com)
Click on the Browse button
Browse to the following file: C:\WINNT\MsCae32.dll
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Go to virustotal.com (http://www.virustotal.com)
Click on the Browse button
Browse to the following file: C:\WINNT\IdleProc.exe
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Then, please do the following...

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

:bigthumb:

nacra
2006-12-05, 08:38
I coud not find them in the Brrowse function and the ran a search and came up with nothing

nacra
2006-12-05, 09:03
StartupList report, 12/05/2006, 12:47:03 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Hotkey = C:\WINNT\System32\hkeyman.exe
ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Synchronization Manager = mobsync.exe /logon
PRPCMonitor = PRPCUI.exe
RealTray = C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
LoadQM = loadqm.exe
hpfsched = C:\WINNT\hpfsched.exe
HP Software Update = "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
WUSB11B.exe = C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
Afaria Client File Differencing = C:\Program Files\AClient\Bin\XCDiffCache.exe
WSPPurge = C:\Program Files\Aflac\Common\WSPPurge.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AOL Instant Messenger (TM) = C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1077223641.job
HP DArC Task #Hewlett-Packard#hp psc 2100 series#1136083739.job
Low Battery Alarm Program.job

--------------------------------------------------

Enumerating Download Program Files:

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yahoo.com/dl/installs/yab_af.cab

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\temp\netfx.msi||C:\WINNT\temp\netfx1.cab||C:\WINNT\temp\OLD10.tmp||C:\WINNT\temp\OLD12.tmp||C:\WINNT\temp\OLD14.tmp||C:\WINNT\temp\OLD18.tmp||C:\WINNT\temp\OLD24.tmp||C:\WINNT\temp\OLD3C.tmp||C:\WINNT\temp\OLD3E.tmp||C:\WINNT\temp\OLD40.tmp||C:\WINNT\temp\OLD42.tmp||C:\WINNT\temp\OLD44.tmp||C:\WINNT\temp\OLD46.tmp||C:\WINNT\temp\OLD48.tmp||C:\WINNT\temp\OLD7.tmp||C:\WINNT\temp\OLD9.tmp||C:\WINNT\temp\OLDE.tmp||C:\WINNT\temp\WebPoolFileFile||C:\WINNT\temp\ZLT058b6.TMP||C:\WINNT\temp\ZLT058bc.TMP||C:\Documents and Settings\Administrator\Cookies\index.dat||C:\Documents and Settings\Administrator\cookies\index.dat||C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Default User\cookies\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 8,204 bytes
Report generated in 1.362 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
:bigthumb:

Mr_JAk3
2006-12-05, 14:43
Hi :)

You didn't check the two boxes that i asked when you created the startuplist...it is important

Let's try again:

Go to virustotal.com (http://www.virustotal.com)
Copy the following filepath to the box next to the "Select file:" (on the upper side of the page) C:\WINNT\MsCae32.dll
Click Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Go to virustotal.com (http://www.virustotal.com)
Copy the following filepath to the box next to the "Select file:" (on the upper side of the page) C:\WINNT\IdleProc.exe
Click Send
Wait for the scan to end.

Copy & Paste the scan results to here.

=============

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

:bigthumb:

nacra
2006-12-05, 17:28
posted this last night and it didn't go through I guess:sad:

StartupList report, 12/05/2006, 12:47:03 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Hotkey = C:\WINNT\System32\hkeyman.exe
ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Synchronization Manager = mobsync.exe /logon
PRPCMonitor = PRPCUI.exe
RealTray = C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
LoadQM = loadqm.exe
hpfsched = C:\WINNT\hpfsched.exe
HP Software Update = "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
WUSB11B.exe = C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
Afaria Client File Differencing = C:\Program Files\AClient\Bin\XCDiffCache.exe
WSPPurge = C:\Program Files\Aflac\Common\WSPPurge.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AOL Instant Messenger (TM) = C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1077223641.job
HP DArC Task #Hewlett-Packard#hp psc 2100 series#1136083739.job
Low Battery Alarm Program.job

--------------------------------------------------

Enumerating Download Program Files:

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yahoo.com/dl/installs/yab_af.cab

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\temp\netfx.msi||C:\WINNT\temp\netfx1.cab||C:\WINNT\temp\OLD10.tmp||C:\WINNT\temp\OLD12.tmp||C:\WINNT\temp\OLD14.tmp||C:\WINNT\temp\OLD18.tmp||C:\WINNT\temp\OLD24.tmp||C:\WINNT\temp\OLD3C.tmp||C:\WINNT\temp\OLD3E.tmp||C:\WINNT\temp\OLD40.tmp||C:\WINNT\temp\OLD42.tmp||C:\WINNT\temp\OLD44.tmp||C:\WINNT\temp\OLD46.tmp||C:\WINNT\temp\OLD48.tmp||C:\WINNT\temp\OLD7.tmp||C:\WINNT\temp\OLD9.tmp||C:\WINNT\temp\OLDE.tmp||C:\WINNT\temp\WebPoolFileFile||C:\WINNT\temp\ZLT058b6.TMP||C:\WINNT\temp\ZLT058bc.TMP||C:\Documents and Settings\Administrator\Cookies\index.dat||C:\Documents and Settings\Administrator\cookies\index.dat||C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Default User\cookies\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 8,204 bytes
Report generated in 1.362 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mr_JAk3
2006-12-05, 19:12
Ok what about the virustotal ?

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

nacra
2006-12-05, 19:47
STATUS: FINISHEDComplete scanning result of "MsCae32.dll", received in VirusTotal at 12.05.2006, 18:42:39 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.49 12.05.2006 no virus found
Authentium 4.93.8 12.04.2006 no virus found
Avast 4.7.892.0 12.05.2006 no virus found
AVG 386 12.05.2006 no virus found
BitDefender 7.2 12.05.2006 no virus found
CAT-QuickHeal 8.00 12.05.2006 no virus found
ClamAV devel-20060426 12.05.2006 no virus found
DrWeb 4.33 12.05.2006 no virus found
eSafe 7.0.14.0 12.03.2006 no virus found
eTrust-InoculateIT 23.73.76 12.05.2006 no virus found
eTrust-Vet 30.3.3232 12.05.2006 no virus found
Ewido 4.0 12.05.2006 no virus found
Fortinet 2.82.0.0 12.05.2006 no virus found
F-Prot 3.16f 12.04.2006 no virus found
F-Prot4 4.2.1.29 12.04.2006 no virus found
Ikarus T3.1.0.26 12.05.2006 no virus found
Kaspersky 4.0.2.24 12.05.2006 no virus found
McAfee 4911 12.05.2006 no virus found
Microsoft 1.1804 12.05.2006 no virus found
NOD32v2 1902 12.05.2006 no virus found
Norman 5.80.02 12.05.2006 no virus found
Panda 9.0.0.4 12.05.2006 no virus found
Prevx1 V2 12.05.2006 no virus found
Sophos 4.12.0 12.04.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.129 12.05.2006 no virus found
UNA 1.83 12.04.2006 no virus found
VBA32 3.11.1 12.05.2006 no virus found
VirusBuster 4.3.15:9 12.05.2006 no virus found


Aditional Information
File size: 27648 bytes
MD5: 37b5a2f81cb5cd559f7a9a07179adad2
SHA1: 4e9fde673bf29e25d2a354970be36b9c6058a549

nacra
2006-12-05, 19:56
Sorry, some of your posts aren't showing up when I switch computers.????I'm watching for your reply on an old one then connecting with problem computer.



STATUS: FINISHEDComplete scanning result of "IdleProc.exe", received in VirusTotal at 12.05.2006, 18:49:16 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.49 12.05.2006 no virus found
Authentium 4.93.8 12.04.2006 no virus found
Avast 4.7.892.0 12.05.2006 no virus found
AVG 386 12.05.2006 no virus found
BitDefender 7.2 12.05.2006 no virus found
CAT-QuickHeal 8.00 12.05.2006 no virus found
ClamAV devel-20060426 12.05.2006 no virus found
DrWeb 4.33 12.05.2006 no virus found
eSafe 7.0.14.0 12.03.2006 no virus found
eTrust-InoculateIT 23.73.76 12.05.2006 no virus found
eTrust-Vet 30.3.3232 12.05.2006 no virus found
Ewido 4.0 12.05.2006 no virus found
Fortinet 2.82.0.0 12.05.2006 no virus found
F-Prot 3.16f 12.04.2006 no virus found
F-Prot4 4.2.1.29 12.04.2006 no virus found
Ikarus T3.1.0.26 12.05.2006 no virus found
Kaspersky 4.0.2.24 12.05.2006 no virus found
McAfee 4911 12.05.2006 no virus found
Microsoft 1.1804 12.05.2006 no virus found
NOD32v2 1902 12.05.2006 no virus found
Norman 5.80.02 12.05.2006 no virus found
Panda 9.0.0.4 12.05.2006 no virus found
Prevx1 V2 12.05.2006 Malicious
Sophos 4.12.0 12.04.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.129 12.05.2006 no virus found
UNA 1.83 12.04.2006 no virus found
VBA32 3.11.1 12.05.2006 no virus found
VirusBuster 4.3.15:9 12.05.2006 no virus found


Aditional Information
File size: 43520 bytes
MD5: ed77549daadce98c2a4039ce108e0a6a
SHA1: ed573da86a3200eab105607e1d18c28c753fb4b9
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e5155739747

nacra
2006-12-05, 20:09
Do you need another HJT startup ?


Administrator - Tue 12/05/2006 11:44:33.85 Service Pack 4
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-04 12:27 <DIR> d-------- C:\!KillBox
2006-12-04 11:59 <DIR> d-------- C:\SDFix
2006-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2006-12-04 11:48 <DIR> d-------- C:\Program Files\WinZip
2006-12-04 11:22 <DIR> d-------- C:\winzip
2006-12-04 10:55 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2006-12-04 10:53 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2006-12-03 19:41 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2006-12-03 19:31 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-03 19:30 <DIR> d-a------ C:\WINNT\Internet Logs
2006-11-30 20:04 80 --a------ C:\WINNT\gmer_uninstall.cmd
2006-11-10 07:35 76,288 --a------ C:\nvrfooqr.exe
2006-11-07 22:31 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-07 21:51 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2006-11-07 19:17 778,656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-11-07 19:17 4,992 --a------ C:\WINNT\system32\drivers\avgtdi.sys
2006-11-07 19:17 4,288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-11-07 19:17 27,904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-11-07 19:17 26,912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-11-07 19:17 23,424 --a------ C:\WINNT\system32\drivers\avgmfrs.sys
2006-11-07 19:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-11-07 19:16 <DIR> d-a------ C:\Program Files\Grisoft
2006-11-07 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\avg7
2006-11-07 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-07 17:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-07 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-06 01:09 122,880 --a------ C:\WINNT\system32\dxvwtdop.exe
2006-11-05 14:36 <DIR> d--h----- C:\WINNT\PIF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-19 17:54 -------- d-------- C:\Program Files\Worksitepro
2006-11-16 13:22 -------- d-ah----- C:\Program Files\WindowsUpdate
2006-11-07 21:28 -------- d-a-s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-05 19:55 60416 --a------ C:\guxpw.exe
2006-11-05 19:35 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2006-11-05 14:10 51660 --a------ C:\hcjvnlu.exe
2006-11-04 21:16 -------- d-------- C:\Program Files\Messenger
2006-10-30 01:00 51725 --a------ C:\WINNT\system32\rm2.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AOL Instant Messenger (TM)"="C:\\Program Files\\Netscape\\Communicator\\Program\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Hotkey"="C:\\WINNT\\System32\\hkeyman.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Synchronization Manager"="mobsync.exe /logon"
"PRPCMonitor"="PRPCUI.exe"
"RealTray"="C:\\Real\\Player\\realplay.exe SYSTEMBOOTHIDEPLAYER"
"LoadQM"="loadqm.exe"
"hpfsched"="C:\\WINNT\\hpfsched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"IPInSightLAN 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"
"IPInSightMonitor 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"WUSB11B.exe"="C:\\Program Files\\WUSB11 WLAN Monitor\\WUSB11B.exe"
"Afaria Client File Differencing"="C:\\Program Files\\AClient\\Bin\\XCDiffCache.exe"
"WSPPurge"="C:\\Program Files\\Aflac\\Common\\WSPPurge.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"_NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1077223641.job
C:\WINNT\tasks\HP DArC Task #Hewlett-Packard#hp psc 2100 series#1136083739.job
C:\WINNT\tasks\Low Battery Alarm Program.job

Completion time: Tue 2006-12-05 11:45:30.23
C:\ComboFix.txt ... 06-12-05 11:45

Mr_JAk3
2006-12-05, 20:26
Ok it is beginning to look good from here :D:
How is the computer running ?

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\nvrfooqr.exe
C:\WINNT\system32\dxvwtdop.exe
C:\guxpw.exe
C:\hcjvnlu.exe
C:\WINNT\system32\rm2.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
You have two (2) antiviruses installed and running, AVG Antivirus and McAfee. Running more that one antivirus at the same time may cause all kinds of problems and is NOT recommended.
You should leave only one (1) antivirus running. You should uninstall/disable either AVG Antivirus or McAfee. When you have decided, you can uninstall your choice through Control Panel, Add/Remove Programs..

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Use CCleaner (http://www.majorgeeks.com/download4191.html)
Download and install CCleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use Ewido (http://www.ewido.net/en/)
Download and install Ewido. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?

nacra
2006-12-05, 20:49
I tried twice to control c a nd paste the files but ONLY C:\nvfooqr.exe shows in the killbox window is this correct???

Mr_JAk3
2006-12-05, 21:01
That means that the other files are not there anymore.

You could try to see if you can locate the files manually via My Computer.
If you can't find them, they're gone :)

nacra
2006-12-05, 21:40
I found all files but the first one.

nacra
2006-12-06, 10:30
I went to my computer like you said and the following files are still on the computer
C:\WINNT\system32\dxvwtdop.exe
C:\guxpw.exe
C:\hcjvnlu.exe
C:\WINNT\system32\rm2.exe

I also get some netbios warnings from zona alarm so I am still reluctant to use the machine Thanks for the help

Mr_JAk3
2006-12-06, 10:41
Hi again :)

Delete those files manually. Let me know if you got problems with the deletions.

The ZoneAlarm warnings are a good thing, you know that it is protecting you from the attacks. If they annoy you, you can turn the notifications off. Please read the following ZoneAlarm tutorial (http://www.markusjansson.net/eza.html)

nacra
2006-12-06, 10:48
Wanted to check with you first. I'll let you know. Thanks again for all of your help. It is greatly appreciated. Have a Merry Christmas and a Happy New Year.

Mr_JAk3
2006-12-06, 11:29
You're very welcome and Merry Christmas and a Happy New Year to you too :D:

Let me know how it went and if I can archive this topic :bigthumb:

nacra
2006-12-06, 18:51
I ran scans this morning with all avg,and spybot. Spybot found smitfraud. Avg anti spyware =nothing, avg antivirus= dr3.exe , if1.exe, desktop.exe, and if2 should I still be worried??? some are kind of gray when they show up on the scan instead of blue.

Mr_JAk3
2006-12-06, 21:02
Hi :)

What did you do to the found files ?

Did you disinfect or remove those with AVG ?

nacra
2006-12-07, 16:30
with spybotsd/smitfraud I used fix tool, avg antivirus tries to automatic heal, but when I scan again they show up

Mr_JAk3
2006-12-07, 21:14
Ok could you please post the exact locations of the infected files to here.

We can remove those with a stronger tool :)

What is the Spybot finding ? A reg key ? Could you please post the Spybot log to here.

nacra
2006-12-08, 02:12
OBJECT RESULT

C:WINNT\system32\drivers\etc\hosts Changed (blue "i")

C:\WINDOWS\Destop.exe:\dr3.exe trojanhorsedownloader.Generic2.WDW
C:\WINDOWS\Desktop.exe:if1.exe VirusfoundWin32/PEPatch
Both of the above are grey excamation points
both status=Infected,embedded object

C:\WINDOWS\Desktop.exe Trojan horse downloader.Generic2.WDW
Red, yellow and blue looks like the winzip icon
status=Infected archive


C:\WINDOWS\if2.exe Virus found Win32/PEPatch
RED exclamation point status + infected

--- Report generated: 2006-12-06 10:23 ---

Smitfraud-C.: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
securityresponse.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
downloads1.kaspersky-labs.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
downloads2.kaspersky-labs.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
downloads3.kaspersky-labs.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
downloads4.kaspersky-labs.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.trendmicro.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
rads.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
customer.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
liveupdate.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
us.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
updates.symantec.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.nai.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
secure.nai.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
dispatch.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
download.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.my-etrust.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
mast.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
ca.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.ca.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
networkassociates.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.networkassociates.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
avp.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.kaspersky.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.avp.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.f-secure.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
viruslist.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.viruslist.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
liveupdate.symantecliveupdate.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.mcafee.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
sophos.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
www.sophos.com=127.0.0.1

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-07 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-01 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-12-01 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-01 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-01 Includes\KeyloggersC.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-12-01 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-01 Includes\PUPSC.sbi (*)
2006-12-01 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-12-01 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-01 Includes\Trojans.sbi (*)
2006-12-01 Includes\TrojansC.sbi (*)

Mr_JAk3
2006-12-08, 21:43
Hi again, let's get all those nasties removed.

Download free! Hoster v3.5 from here: http://www.funkytoad.com/content/view/13/
When you have it click on the button to "Restore Microsoft's Hosts File", follow any prompts.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

==================

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Desktop.exe
C:\WINDOWS\if2.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: dr3.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

nacra
2006-12-09, 04:54
Logfile of HijackThis v1.99.1
Scan saved at 08:29:02 PM, on 12/08/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A9335EF-D408-4405-9E81-7CF61F390B4A}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


DR.WEB CUREIT:D:

cfd.exe;c:\program files\broadjump\client foundation;Adware.Cfd;Incurable.Deleted.;
dxvwgagn.exe;C:\!KillBox;BackDoor.Pva;Deleted.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\SDFix\apps;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
if1.exe;C:\WINNT\system32;Trojan.DownLoader.14617;Deleted.;
rm2.exe;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

Mr_JAk3
2006-12-09, 10:43
Hi :)

Looks like Killbox & CureIt did the job.

How is the computer running ? Is AVG still finding something ?

nacra
2006-12-09, 16:41
C:\!KillBox\Desktop.exe:\dr3.exe Trojan horse Downloader.Generic2.WDW Infected, Embedded object
C:\!KillBox\Desktop.exe:\if1.exe Virus found Win32/PEPatch Infected, Embedded object
C:\!KillBox\Desktop.exe Trojan horse Downloader.Generic2.WDW Infected, Archive

Mr_JAk3
2006-12-09, 21:26
Ok go ahead and delete Killbox backup folder, C:\!KillBox

Everything is running fine ?

nacra
2006-12-10, 05:23
Mr.Jak3,
I think that finally did it. What a nightmare. Thank you again for your help. It is greatly appreciated. Computer seems to be fine. zone alarm complains about net bios and two programs Services.exe and IPclient.exe. I don't know what these are so I haven't allowed the connection. Any Ideas? CFD.exe was trying to connect but I think that the last cureit and atf cleaner, kill box took care of this. :angel:

Mr_JAk3
2006-12-10, 09:59
You're very welcome :)

You may be informed about the attacks made from the outside. You can turn these notifications off if you want.

The IPclient.exe belongs to your "Visual IP InSight" program. Allow if use this.

You can allow services.exe connect if the file is located in C:\WINNT\system32\services.exe, it is the legitimate windows file.

:bigthumb:

Mr_JAk3
2006-12-16, 16:17
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: