Need Help ASAP! [Archive] - Safer-Networking Forums

Enginebuilder

2006-11-20, 07:54

First of all, I would like to thank pskelley for the outstanding assistance given here:http://forums.spybot.info/showthread.php?t=9057

Following the advice given in the above link, I was able to successfully get rid of this most annoying problem.

I got this virus?/trojan? from following a link in google-:oops: a javascript ran, and subsequently downloaded/installed a number (106 to be exact) of various malware/trojans/hijackers. Thankfully, I had teatimer running, and the majority of the problems were able to be averted (with much clicking). I did, however end up with systemdoctor2006, VSAdd-in, and what has been described/identified as VMundo (misdiagnosed as the smit*888toolbar).

After updating S&D, I was able to successfully remove systemdoctor2006.. I then started working on getting rid of the annoying popup ads that were happening on a regular, if infrequent basis.

I figure if there are new and improved spybots and such that have attacked me, I can't be the first; so I came here to see what was the latest and greatest in malware attacks, and discover the above referenced post; the OP described a situation almost exactly the same as mine, so i figure hey; I'll give this a shot.

Here's what I did, in order:
Uninstall java
Download/Install latest version of Jave Runtime (currently 1.5.0_09)
Download combofix.exe
Download virtumondobegone.exe
Updated Hijackthis to v1.99
Ran combofix.exe - did not require reboot?
Ran Virtumondobegone.exe- seemed like the computer locked up almost as soon as it ran; this was not the case though, and eventually finished its thing and forced a reboot.
Ran HijackThis!.exe - still notice the unnamed BHO, a strangely named .dll(randomly generated= jkkll.dll) and the O20 Winlogin entry referencing the .dll... not pleased at this point, figuring these should be gone. Attempt a fix on all three, and they come back after a reboot. Really upset now, 3 hours and nothing?! %(&#@(*# (&$@ malware!

However; upon re-running S&D, entries for HotsearchBar were found. Fixed those (along with a rediculous amount of useage tracks) and rebooted again. Voila! no more O20 winlogin entry or strange .dll files in the hijackthis! log.

Now I'm just stuck with this Internet Explorer Helper VSAdd-in.exe in my add/remove programs list. I don't remeber this program AT ALL (and i keep my pc on a short leash) and I can't remove it via the normal methods- any ideas on what exactly this thing is, and how I can get rid of it? HJT logfile attached below.

Enginebuilder

2006-11-20, 08:02

Logfile of HijackThis v1.99.1
Scan saved at 1:55:39 AM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\AOL\1147054468\ee\AOLSoftware.exe
C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Useful Programs\Helpful Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147054468\ee\AOLSoftware.exe
O4 - HKCU\..\Run: "C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

[B]Logfile from Combofix.exe follows
_________________________________________________________________
Eric - 06-11-19 23:48:50.51 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\Eric\Desktop\Spyware Removal"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\SSTEM~1\explorer.exe
C:\QooBox\Purity\Program Files\SSTEM~1\s?stem
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\j?vaw.exe

((((((((((((((((((((((((((((((( Files Created from 2006-10-19 to 2006-11-19 ))))))))))))))))))))))))))))))))))

2006-11-19 23:37 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-19 22:49 <DIR> d-------- C:\WINDOWS\temp
2006-11-19 03:18 759,688 ---hs---- C:\WINDOWS\system32\llkkj.bak1
2006-11-19 03:18 60,436 --a------ C:\WINDOWS\system32\donotuse.dll
2006-11-19 03:17 692,276 ---hs---- C:\WINDOWS\system32\jkkll.dll
2006-11-19 02:05 40,973 ---hs---- C:\WINDOWS\system32\ddccccy.dll
2006-11-15 02:38 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2006-11-15 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-11-15 02:30 <DIR> d-------- C:\Program Files\QuickTime
2006-11-11 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Firefly Studios
2006-11-08 02:28 <DIR> d-------- C:\Program Files\Excite
2006-11-06 13:49 299,520 --a------ C:\WINDOWS\uninst.exe
2006-11-06 13:48 4,672 --a------ C:\WINDOWS\system32\LXASUSCI.DLL
2006-11-06 13:48 33,792 --a------ C:\WINDOWS\system32\LXASUSCI.EXE
2006-11-06 13:39 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-11-06 13:36 <DIR> d-------- C:\Program Files\LexmarkX83
2006-11-06 12:45 <DIR> d-------- C:\Documents and Settings\Eric\WINDOWS
2006-11-03 00:10 <DIR> d-------- C:\Program Files\MTV Networks
2006-11-01 12:34 <DIR> d-------- C:\Program Files\AC3Filter
2006-10-31 17:35 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-10-31 17:35 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-10-31 17:35 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-10-31 17:15 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-10-31 17:14 46,208 --a------ C:\WINDOWS\system32\drivers\IrBus.sys
2006-10-31 17:14 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-10-31 17:14 17,024 --a------ C:\WINDOWS\system32\drivers\hidir.sys
2006-10-24 12:10 <DIR> d-------- C:\Program Files\TMPGENC
2006-10-24 11:43 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Opera
2006-10-24 10:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-10-24 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-10-23 14:51 <DIR> d-------- C:\Program Files\hp deskjet 930c series
2006-10-23 14:51 <DIR> d-------- C:\Program Files\Hewlett-Packard
2006-10-23 14:50 53,248 --a------ C:\WINDOWS\system32\hpfinsta.exe
2006-10-23 14:50 274,432 --------- C:\WINDOWS\system32\hpfinst.dll
2006-10-23 14:50 262,144 --a------ C:\WINDOWS\system32\hpzcon04.dll
2006-10-23 14:50 200,704 --a------ C:\WINDOWS\system32\hpzcoi04.dll
2006-10-23 14:50 114,744 --a------ C:\WINDOWS\system32\hpzlnt04.dll
2006-10-22 21:58 <DIR> dr-h----- C:\Documents and Settings\Eric\Recent
2006-10-22 19:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\InstallShield
2006-10-21 21:28 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-19 23:49 -------- d-------- C:\Program Files\Common Files
2006-11-19 23:39 -------- d-------- C:\Program Files\Java
2006-11-19 23:13 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-19 02:21 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-10 03:10 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-01 13:07 353 --a--c--- C:\Documents and Settings\Eric\Application Data\AutoGK.ini
2006-11-01 04:35 -------- d-------- C:\Documents and Settings\Eric\Application Data\DivX
2006-10-25 12:36 -------- d-------- C:\Program Files\AOD
2006-10-24 11:56 -------- d-------- C:\Documents and Settings\Eric\Application Data\Adobe
2006-10-24 10:52 -------- d-------- C:\Program Files\Adobe
2006-10-24 10:49 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-22 20:06 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-17 16:42 -------- d-------- C:\Program Files\Google
2006-10-16 18:00 -------- d-------- C:\Documents and Settings\Eric\Application Data\Mozilla
2006-10-16 16:07 -------- d-------- C:\Program Files\DivX
2006-10-08 20:50 161555 --a------ C:\WINDOWS\EXPStudio's Audio Converter FREE Uninstaller.exe
2006-10-08 20:50 -------- d-------- C:\Program Files\EXPStudio
2006-10-08 20:41 -------- d-------- C:\Program Files\illiminable
2006-10-08 19:32 -------- d---s---- C:\Documents and Settings\Eric\Application Data\Microsoft
2006-10-08 19:32 -------- d-------- C:\Program Files\APSW
2006-10-08 15:36 -------- d-------- C:\Program Files\Kodak
2006-10-08 15:35 -------- d-------- C:\Program Files\Common Files\Kodak
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 14:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 14:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-19 03:45 96256 --a------ C:\WINDOWS\system32\drivers\sptd4877.sys
2006-08-27 19:54 98304 --a--c--- C:\WINDOWS\system32\CmdLineExt.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"BlockAds"="\"C:\\Program Files\\Tweak-XP Pro 3\\AdBlocker.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"Lexmark X83 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X83.exe"
"Lexmark X83 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X83.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1147054468\\ee\\AOLSoftware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://doppler.tbo.com/wfla_nowrad_fl.sm.jpg"
"SubscribedURL"="http://doppler.tbo.com/wfla_nowrad_fl.sm.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e4,00,00,00,23,00,00,00,2b,02,00,00,df,01,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,a0,00,00,00,78,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,a0,00,00,00,78,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoStrCmpLogical"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tray curb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Playinside"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Eric\\APPLIC~1\\GREATD~1\\Playinside.exe"
"inimapping"="0"

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
"Debugger"="\"C:\\DOCUME~1\\ERIC\\LOCALS~1\\TEMP\\RAR$EX01.516\\PROCEXP.EXE\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A6AFB94790702A57.job

Completion time: 06-11-19 23:51:10.26
C:\ComboFix.txt ... 06-11-19 23:51
_________________________________________________________________

Enginebuilder

2006-11-20, 08:03

[11/19/2006, 23:53:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Eric\Desktop\Spyware Removal\VirtumundoBeGone.exe" )
[11/19/2006, 23:53:36] - Detected System Information:
[11/19/2006, 23:53:36] - Windows Version: 5.1.2600, Service Pack 2
[11/19/2006, 23:53:36] - Current Username: Eric (Admin)
[11/19/2006, 23:53:36] - Windows is in NORMAL mode.
[11/19/2006, 23:53:36] - Searching for Browser Helper Objects:
[11/19/2006, 23:53:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/19/2006, 23:53:36] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/19/2006, 23:53:36] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/19/2006, 23:53:36] - BHO 4: {BB32DA21-6EC6-4F71-B072-8B593104BDCB} ()
[11/19/2006, 23:53:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/19/2006, 23:53:36] - Checking for HKLM\...\Winlogon\Notify\jkkll
[11/19/2006, 23:53:36] - Found: HKLM\...\Winlogon\Notify\jkkll - This is probably Virtumundo.
[11/19/2006, 23:53:36] - Assigning {BB32DA21-6EC6-4F71-B072-8B593104BDCB} MSEvents Object
[11/19/2006, 23:53:36] - BHO list has been changed! Starting over...
[11/19/2006, 23:53:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/19/2006, 23:53:36] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/19/2006, 23:53:36] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/19/2006, 23:53:36] - BHO 4: {BB32DA21-6EC6-4F71-B072-8B593104BDCB} (MSEvents Object)
[11/19/2006, 23:53:36] - ALERT: Found MSEvents Object!
[11/19/2006, 23:53:36] - Finished Searching Browser Helper Objects
[11/19/2006, 23:53:36] - *** Detected MSEvents Object
[11/19/2006, 23:53:36] - Trying to remove MSEvents Object...
[11/19/2006, 23:53:37] - Terminating Process: IEXPLORE.EXE
[11/19/2006, 23:53:37] - Terminating Process: RUNDLL32.EXE
[11/19/2006, 23:53:37] - Disabling Automatic Shell Restart
[11/19/2006, 23:53:37] - Terminating Process: EXPLORER.EXE
[11/19/2006, 23:53:38] - Suspending the NT Session Manager System Service
[11/19/2006, 23:53:38] - Terminating Windows NT Logon/Logoff Manager

[11/20/2006, 0:01:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Eric\Desktop\Spyware Removal\VirtumundoBeGone.exe" )
[11/20/2006, 0:01:22] - Detected System Information:
[11/20/2006, 0:01:22] - Windows Version: 5.1.2600, Service Pack 2
[11/20/2006, 0:01:22] - Current Username: Eric (Admin)
[11/20/2006, 0:01:22] - Windows is in NORMAL mode.
[11/20/2006, 0:01:22] - Searching for Browser Helper Objects:
[11/20/2006, 0:01:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/20/2006, 0:01:22] - BHO 2: {10758348-21C2-40F3-9729-1CB815A02668} ()
[11/20/2006, 0:01:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/20/2006, 0:01:22] - Checking for HKLM\...\Winlogon\Notify\jkkll
[11/20/2006, 0:01:22] - Found: HKLM\...\Winlogon\Notify\jkkll - This is probably Virtumundo.
[11/20/2006, 0:01:22] - Assigning {10758348-21C2-40F3-9729-1CB815A02668} MSEvents Object
[11/20/2006, 0:01:22] - BHO list has been changed! Starting over...
[11/20/2006, 0:01:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/20/2006, 0:01:22] - BHO 2: {10758348-21C2-40F3-9729-1CB815A02668} (MSEvents Object)
[11/20/2006, 0:01:22] - ALERT: Found MSEvents Object!
[11/20/2006, 0:01:22] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/20/2006, 0:01:22] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/20/2006, 0:01:22] - BHO 5: {BB32DA21-6EC6-4F71-B072-8B593104BDCB} ()
[11/20/2006, 0:01:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/20/2006, 0:01:22] - No filename found. Continuing.
[11/20/2006, 0:01:22] - Finished Searching Browser Helper Objects
[11/20/2006, 0:01:22] - *** Detected MSEvents Object
[11/20/2006, 0:01:22] - Trying to remove MSEvents Object...
[11/20/2006, 0:01:23] - Terminating Process: IEXPLORE.EXE
[11/20/2006, 0:01:23] - Terminating Process: RUNDLL32.EXE
[11/20/2006, 0:01:23] - Disabling Automatic Shell Restart
[11/20/2006, 0:01:23] - Terminating Process: EXPLORER.EXE
[11/20/2006, 0:01:24] - Suspending the NT Session Manager System Service
[11/20/2006, 0:01:24] - Terminating Windows NT Logon/Logoff Manager
[11/20/2006, 0:06:52] - Re-enabling Automatic Shell Restart
[11/20/2006, 0:06:52] - File to disable: C:\WINDOWS\system32\jkkll.dll
[11/20/2006, 0:06:52] - Renaming C:\WINDOWS\system32\jkkll.dll -> C:\WINDOWS\system32\jkkll.dll.vir
[11/20/2006, 0:06:52] - File successfully renamed!
[11/20/2006, 0:06:52] - Removing HKLM\...\Browser Helper Objects\{10758348-21C2-40F3-9729-1CB815A02668}
[11/20/2006, 0:06:52] - Removing HKCR\CLSID\{10758348-21C2-40F3-9729-1CB815A02668}
[11/20/2006, 0:06:52] - Adding Kill Bit for ActiveX for GUID: {10758348-21C2-40F3-9729-1CB815A02668}
[11/20/2006, 0:06:52] - Deleting ATLEvents/MSEvents Registry entries
[11/20/2006, 0:06:52] - Removing HKLM\...\Winlogon\Notify\jkkll
[11/20/2006, 0:06:52] - Searching for Browser Helper Objects:
[11/20/2006, 0:06:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/20/2006, 0:06:52] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/20/2006, 0:06:52] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[11/20/2006, 0:06:53] - BHO 4: {BB32DA21-6EC6-4F71-B072-8B593104BDCB} ()
[11/20/2006, 0:06:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/20/2006, 0:06:53] - No filename found. Continuing.
[11/20/2006, 0:06:53] - Finished Searching Browser Helper Objects
[11/20/2006, 0:06:53] - Finishing up...
[11/20/2006, 0:06:53] - A restart is needed.
[11/20/2006, 0:07:14] - Attempting to Restart via STOP error (Blue Screen!)

_________________________________________________________________

Added the logfiles from combofix.exe and virtumundobegone.exe in case they may help.

-Eric

Enginebuilder

2006-11-21, 00:33

UPDATE:

Computer still seemed a little slow, especially on startup, so i figured I'd check a few other things out. Followed a link to the kaspersky online virus scanner, and lo and behold!

Here's the logfile from the scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 20, 2006 6:22:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/11/2006
Kaspersky Anti-Virus database records: 243318
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 69775
Number of viruses found: 14
Number of infected objects: 26 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:13:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\cashmessmoreboob\love ooze.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Eric\Application Data\great dash for\Playinside.exe Infected: not-a-virus:AdWare.Win32.Lop.bc skipped
C:\Documents and Settings\Eric\Application Data\great dash for\zvixmfoa.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Eric\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\History\History.IE5\MSHist012006112020061121\index.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Temp\~DFB75D.tmp Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\C3YHKXWD\wireshark-setup-0.99.4[1].exe Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eric\ntuser.dat Object is locked skipped
C:\Documents and Settings\Eric\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Excite\PrvtMsgr\bin\x8Idle0.dll Infected: not-a-virus:AdWare.Win32.IWon.a skipped
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\jаvaw.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ex skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0084835.exe Infected: Trojan-Downloader.Win32.VB.wz skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0085848.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0085852.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0086862.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0086863.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP137\change.log Object is locked skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP77\A0058944.exe Infected: not-a-virus:AdWare.Win32.Lop.ai skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP79\A0058983.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP79\A0058984.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Useful Programs\Helpful Programs\HijackThis\backups\backup-20060705-171112-922.dll Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Useful Programs\Helpful Programs\HijackThis\backups\backup-20061119-022147-371.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Useful Programs\Helpful Programs\HijackThis\backups\backup-20061119-030537-684.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ex skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddccccy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ex skipped
C:\WINDOWS\system32\donotuse.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd4877.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

_________________________________________________________________
Fresh HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:33:05 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\AOL\1147054468\ee\AOLSoftware.exe
C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Useful Programs\Helpful Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147054468\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

Thanks for any help you can provide!

Enginebuilder

2006-11-22, 09:44

Okay, here's a description of events as best as I can recall:
1: clicked on link in a google search which lead me to a site which ran a javascript that started downloading all sorts of nasties to my pc. Teatimer was running, which enabled me to block many of the processes.
2: updated spybot S&D and proceeded to check and 'fix' many problems...
3: ran hijackthis! v1.99 and discovered that there were still many problems.
4: Uninstalled Java (don't remember installing in the first place- my last malware attack came via javascript, and I vowed to never again use it- I will uninstall Java again as soon as I have my pc squared away)
5: Installed latest Java Runtime
6: ran virtumundobegone.exe to eliminate the vmundo virus/trojan.
7: ran combofix.exe
8: ran kaspersky online virus scanner, which found a number of virus infected files.
9: Downloaded/installed/ran AVG Professional 7.5 trial. Discovered many viruii/malware and 'fixed' them; many references were made to my system restore folders, so I turned off system restore, and deleted the old restore points, fearing that they were infected and causing the system to reinfect itself.

At this point my system started acting REALLY sluggish, and lost all internet connectivity- I connect via wireless access point, and the USB port which my adapter was connected to lost connectivity.. I can still use my wireless mouse from this port, but not my 802.11g adapter. When I plug it in, rather than the 'ding-dong' noise it usually makes, it makes a 'ding-ding-ding' tone, and windows indicates that there was a problem installing my 'new wireless device'.
I have nearly gone mad trying to figure out the problem here, and finally resorted to repairing my windows installation from the cd, and creating a new user account.... This did not effectively fix my pc however.. still have problems connecting to the internet, the computer is rediculously slow; eg: takes upwards of 30 seconds to access 'My Computer'. Windows doesn't detect my router, and I've had to resort to the proprietary software that came with my USB adapter to have any kind of connection. (windows doesn't detect the connection, even while I'm typing this- there's a notification in my systray that say's "Wireless Connection Not Connected. Click here for more options."; right next to it is the D-link connection utility telling me that I'm connected to my D-link Access Point.

I will post the .log files from the above scans/repairs in the hopes that someone will be able to point out something that I may have missed... I really don't want to wipe my computer, as there are many GB of family videos that I cannot easily backup. (would take over 30 cd's in .rar format)

If you require a new scan let me know, and I will do it right away. (assuming I'll be able to re-connect after any restart :P)

Enginebuilder

2006-11-22, 09:52

Eric - 06-11-20 22:17:18.54 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\Eric\Desktop\Spyware Removal"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\SSTEM~1\explorer.exe
C:\QooBox\Purity\Program Files\SSTEM~1\s?stem
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\j?vaw.exe

((((((((((((((((((((((((((((((( Files Created from 2006-10-20 to 2006-11-20 ))))))))))))))))))))))))))))))))))

2006-11-20 21:16 <DIR> dr-h----- C:\Documents and Settings\Eric\Recent
2006-11-20 16:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-11-19 23:37 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-19 22:49 <DIR> d-------- C:\WINDOWS\temp
2006-11-19 03:18 759,688 ---hs---- C:\WINDOWS\system32\llkkj.bak1
2006-11-19 03:17 692,276 --ahs---- C:\WINDOWS\system32\jkkll.dll.vir
2006-11-19 02:05 40,973 ---hs---- C:\WINDOWS\system32\ddccccy.dll
2006-11-15 02:38 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2006-11-15 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-11-15 02:30 <DIR> d-------- C:\Program Files\QuickTime
2006-11-11 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Firefly Studios
2006-11-06 13:49 299,520 --a------ C:\WINDOWS\uninst.exe
2006-11-06 13:48 4,672 --a------ C:\WINDOWS\system32\LXASUSCI.DLL
2006-11-06 13:48 33,792 --a------ C:\WINDOWS\system32\LXASUSCI.EXE
2006-11-06 13:39 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-11-06 13:36 <DIR> d-------- C:\Program Files\LexmarkX83
2006-11-06 12:45 <DIR> d-------- C:\Documents and Settings\Eric\WINDOWS
2006-11-03 00:10 <DIR> d-------- C:\Program Files\MTV Networks
2006-11-01 12:34 <DIR> d-------- C:\Program Files\AC3Filter
2006-10-31 17:35 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-10-31 17:35 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-10-31 17:35 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-10-31 17:15 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-10-31 17:14 46,208 --a------ C:\WINDOWS\system32\drivers\IrBus.sys
2006-10-31 17:14 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-10-31 17:14 17,024 --a------ C:\WINDOWS\system32\drivers\hidir.sys
2006-10-24 12:10 <DIR> d-------- C:\Program Files\TMPGENC
2006-10-24 11:43 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Opera
2006-10-24 10:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-10-24 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-10-23 14:51 <DIR> d-------- C:\Program Files\hp deskjet 930c series
2006-10-23 14:51 <DIR> d-------- C:\Program Files\Hewlett-Packard
2006-10-23 14:50 53,248 --a------ C:\WINDOWS\system32\hpfinsta.exe
2006-10-23 14:50 274,432 --------- C:\WINDOWS\system32\hpfinst.dll
2006-10-23 14:50 262,144 --a------ C:\WINDOWS\system32\hpzcon04.dll
2006-10-23 14:50 200,704 --a------ C:\WINDOWS\system32\hpzcoi04.dll
2006-10-23 14:50 114,744 --a------ C:\WINDOWS\system32\hpzlnt04.dll
2006-10-22 19:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\InstallShield
2006-10-21 21:28 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-20 21:35 -------- d-------- C:\Program Files\Messenger
2006-11-20 02:30 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-19 23:49 -------- d-------- C:\Program Files\Common Files
2006-11-19 23:39 -------- d-------- C:\Program Files\Java
2006-11-19 23:13 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-10 03:10 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-01 13:07 353 --a--c--- C:\Documents and Settings\Eric\Application Data\AutoGK.ini
2006-11-01 04:35 -------- d-------- C:\Documents and Settings\Eric\Application Data\DivX
2006-10-25 12:36 -------- d-------- C:\Program Files\AOD
2006-10-24 11:56 -------- d-------- C:\Documents and Settings\Eric\Application Data\Adobe
2006-10-24 10:52 -------- d-------- C:\Program Files\Adobe
2006-10-24 10:49 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-22 20:06 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-17 16:42 -------- d-------- C:\Program Files\Google
2006-10-16 18:00 -------- d-------- C:\Documents and Settings\Eric\Application Data\Mozilla
2006-10-16 16:07 -------- d-------- C:\Program Files\DivX
2006-10-08 20:50 161555 --a------ C:\WINDOWS\EXPStudio's Audio Converter FREE Uninstaller.exe
2006-10-08 20:50 -------- d-------- C:\Program Files\EXPStudio
2006-10-08 20:41 -------- d-------- C:\Program Files\illiminable
2006-10-08 19:32 -------- d---s---- C:\Documents and Settings\Eric\Application Data\Microsoft
2006-10-08 19:32 -------- d-------- C:\Program Files\APSW
2006-10-08 15:36 -------- d-------- C:\Program Files\Kodak
2006-10-08 15:35 -------- d-------- C:\Program Files\Common Files\Kodak
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 14:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 14:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-08-27 19:54 98304 --a--c--- C:\WINDOWS\system32\CmdLineExt.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BlockAds"="\"C:\\Program Files\\Tweak-XP Pro 3\\AdBlocker.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"Lexmark X83 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X83.exe"
"Lexmark X83 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X83.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1147054468\\ee\\AOLSoftware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://doppler.tbo.com/wfla_nowrad_fl.sm.jpg"
"SubscribedURL"="http://doppler.tbo.com/wfla_nowrad_fl.sm.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e4,00,00,00,23,00,00,00,2b,02,00,00,df,01,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,a0,00,00,00,78,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,a0,00,00,00,78,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoStrCmpLogical"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
"DisableLocalMachineRun"=dword:00000001
"DisableLocalMachineRunOnce"=dword:00000001
"DisableCurrentUserRunOnce"=dword:00000001
"DisableCurrentUserRun"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tray curb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Playinside"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Eric\\APPLIC~1\\GREATD~1\\Playinside.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A6AFB94790702A57.job

Completion time: 06-11-20 22:18:12.87
C:\ComboFix.txt ... 06-11-20 22:18
C:\ComboFix2.txt ... 06-11-19 23:51

Enginebuilder

2006-11-22, 09:54

Eric - 06-11-19 23:48:50.51 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\Eric\Desktop\Spyware Removal"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\SSTEM~1\explorer.exe
C:\QooBox\Purity\Program Files\SSTEM~1\s?stem
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\j?vaw.exe

((((((((((((((((((((((((((((((( Files Created from 2006-10-19 to 2006-11-19 ))))))))))))))))))))))))))))))))))

2006-11-19 23:37 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-19 22:49 <DIR> d-------- C:\WINDOWS\temp
2006-11-19 03:18 759,688 ---hs---- C:\WINDOWS\system32\llkkj.bak1
2006-11-19 03:18 60,436 --a------ C:\WINDOWS\system32\donotuse.dll
2006-11-19 03:17 692,276 ---hs---- C:\WINDOWS\system32\jkkll.dll
2006-11-19 02:05 40,973 ---hs---- C:\WINDOWS\system32\ddccccy.dll
2006-11-15 02:38 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2006-11-15 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-11-15 02:30 <DIR> d-------- C:\Program Files\QuickTime
2006-11-11 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Firefly Studios
2006-11-08 02:28 <DIR> d-------- C:\Program Files\Excite
2006-11-06 13:49 299,520 --a------ C:\WINDOWS\uninst.exe
2006-11-06 13:48 4,672 --a------ C:\WINDOWS\system32\LXASUSCI.DLL
2006-11-06 13:48 33,792 --a------ C:\WINDOWS\system32\LXASUSCI.EXE
2006-11-06 13:39 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-11-06 13:36 <DIR> d-------- C:\Program Files\LexmarkX83
2006-11-06 12:45 <DIR> d-------- C:\Documents and Settings\Eric\WINDOWS
2006-11-03 00:10 <DIR> d-------- C:\Program Files\MTV Networks
2006-11-01 12:34 <DIR> d-------- C:\Program Files\AC3Filter
2006-10-31 17:35 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-10-31 17:35 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-10-31 17:35 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-10-31 17:15 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-10-31 17:14 46,208 --a------ C:\WINDOWS\system32\drivers\IrBus.sys
2006-10-31 17:14 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-10-31 17:14 17,024 --a------ C:\WINDOWS\system32\drivers\hidir.sys
2006-10-24 12:10 <DIR> d-------- C:\Program Files\TMPGENC
2006-10-24 11:43 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Opera
2006-10-24 10:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-10-24 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-10-23 14:51 <DIR> d-------- C:\Program Files\hp deskjet 930c series
2006-10-23 14:51 <DIR> d-------- C:\Program Files\Hewlett-Packard
2006-10-23 14:50 53,248 --a------ C:\WINDOWS\system32\hpfinsta.exe
2006-10-23 14:50 274,432 --------- C:\WINDOWS\system32\hpfinst.dll
2006-10-23 14:50 262,144 --a------ C:\WINDOWS\system32\hpzcon04.dll
2006-10-23 14:50 200,704 --a------ C:\WINDOWS\system32\hpzcoi04.dll
2006-10-23 14:50 114,744 --a------ C:\WINDOWS\system32\hpzlnt04.dll
2006-10-22 21:58 <DIR> dr-h----- C:\Documents and Settings\Eric\Recent
2006-10-22 19:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\InstallShield
2006-10-21 21:28 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-19 23:49 -------- d-------- C:\Program Files\Common Files
2006-11-19 23:39 -------- d-------- C:\Program Files\Java
2006-11-19 23:13 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-19 02:21 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-10 03:10 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-01 13:07 353 --a--c--- C:\Documents and Settings\Eric\Application Data\AutoGK.ini
2006-11-01 04:35 -------- d-------- C:\Documents and Settings\Eric\Application Data\DivX
2006-10-25 12:36 -------- d-------- C:\Program Files\AOD
2006-10-24 11:56 -------- d-------- C:\Documents and Settings\Eric\Application Data\Adobe
2006-10-24 10:52 -------- d-------- C:\Program Files\Adobe
2006-10-24 10:49 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-22 20:06 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-17 16:42 -------- d-------- C:\Program Files\Google
2006-10-16 18:00 -------- d-------- C:\Documents and Settings\Eric\Application Data\Mozilla
2006-10-16 16:07 -------- d-------- C:\Program Files\DivX
2006-10-08 20:50 161555 --a------ C:\WINDOWS\EXPStudio's Audio Converter FREE Uninstaller.exe
2006-10-08 20:50 -------- d-------- C:\Program Files\EXPStudio
2006-10-08 20:41 -------- d-------- C:\Program Files\illiminable
2006-10-08 19:32 -------- d---s---- C:\Documents and Settings\Eric\Application Data\Microsoft
2006-10-08 19:32 -------- d-------- C:\Program Files\APSW
2006-10-08 15:36 -------- d-------- C:\Program Files\Kodak
2006-10-08 15:35 -------- d-------- C:\Program Files\Common Files\Kodak
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 14:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 14:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-19 03:45 96256 --a------ C:\WINDOWS\system32\drivers\sptd4877.sys
2006-08-27 19:54 98304 --a--c--- C:\WINDOWS\system32\CmdLineExt.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"BlockAds"="\"C:\\Program Files\\Tweak-XP Pro 3\\AdBlocker.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"Lexmark X83 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X83.exe"
"Lexmark X83 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X83.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1147054468\\ee\\AOLSoftware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://doppler.tbo.com/wfla_nowrad_fl.sm.jpg"
"SubscribedURL"="http://doppler.tbo.com/wfla_nowrad_fl.sm.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e4,00,00,00,23,00,00,00,2b,02,00,00,df,01,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,a0,00,00,00,78,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,a0,00,00,00,78,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoStrCmpLogical"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tray curb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Playinside"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Eric\\APPLIC~1\\GREATD~1\\Playinside.exe"
"inimapping"="0"

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
"Debugger"="\"C:\\DOCUME~1\\ERIC\\LOCALS~1\\TEMP\\RAR$EX01.516\\PROCEXP.EXE\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A6AFB94790702A57.job

Completion time: 06-11-19 23:51:10.26
C:\ComboFix.txt ... 06-11-19 23:51

Enginebuilder

2006-11-22, 09:58

Enginebuilder

2006-11-22, 09:58

KASPERSKY ONLINE SCANNER REPORT
Monday, November 20, 2006 6:22:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/11/2006
Kaspersky Anti-Virus database records: 243318
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 69775
Number of viruses found: 14
Number of infected objects: 26 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:13:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\cashmessmoreboob\love ooze.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Eric\Application Data\great dash for\Playinside.exe Infected: not-a-virus:AdWare.Win32.Lop.bc skipped
C:\Documents and Settings\Eric\Application Data\great dash for\zvixmfoa.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Eric\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\History\History.IE5\MSHist012006112020061121\index.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Temp\~DFB75D.tmp Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\C3YHKXWD\wireshark-setup-0.99.4[1].exe Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eric\ntuser.dat Object is locked skipped
C:\Documents and Settings\Eric\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Excite\PrvtMsgr\bin\x8Idle0.dll Infected: not-a-virus:AdWare.Win32.IWon.a skipped
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\jаvaw.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ex skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0084835.exe Infected: Trojan-Downloader.Win32.VB.wz skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0085848.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0085852.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0086862.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP135\A0086863.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP137\change.log Object is locked skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP77\A0058944.exe Infected: not-a-virus:AdWare.Win32.Lop.ai skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP79\A0058983.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\System Volume Information\_restore{1B01CE5E-787A-4556-AFF0-8FBEFB1FAC3C}\RP79\A0058984.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Useful Programs\Helpful Programs\HijackThis\backups\backup-20060705-171112-922.dll Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Useful Programs\Helpful Programs\HijackThis\backups\backup-20061119-022147-371.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Useful Programs\Helpful Programs\HijackThis\backups\backup-20061119-030537-684.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ex skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddccccy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ex skipped
C:\WINDOWS\system32\donotuse.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd4877.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

LonnyRJones

2006-11-22, 11:45

Hi

Ive combined your threads, confin your post to this thread please.

Do you have windows set to show hidden files and folders ?
Are these files still present ?
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\donotuse.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\ddccccy.dll
C:\\DOCUMENTS AND SETTING\Eric\APPLICTION DATA\GREATD~1 < not sure of full name

Enginebuilder

2006-11-22, 19:58

Thank you for your response; I started a new thread assuming that the title of my last thread was misleading, and caused would-be helpers to pass it by, thinking the problem had been resolved.

As for the following files:

C:\WINDOWS\system32\llkkj.bak1 <--- still present
C:\WINDOWS\system32\donotuse.dll <--- gone
C:\WINDOWS\system32\jkkll.dll <--- gone
C:\WINDOWS\system32\ddccccy.dll <--- still present
C:\\DOCUMENTS AND SETTING\Eric\APPLICTION DATA\GREATD~1 <--- gone

I have not deleted the files llkkj.bak1 & ddccccy.dll presuming that you may want a copy of them.

I will have to take my laptop to work with me this afternoon, and it will not have direct internet access- I will however be able to continue communication through a computer at work. (this rules out any further online scans, but I should be able to x-fer any programs to my laptop via cd or usb flash drive)

LonnyRJones

2006-11-23, 01:14

Lets use vundofix on it

Please download VundoFix.exe (http://www.atribune.org/content/view/24/2/)
to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
Double-click VundoFix.exe to run it.
Click scan for vundo, when it is finished scanning if this file isnt detected add it >
Right click the list box then select add files and add
C:\WINDOWS\system32\ddccccy.dll

Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Wait two mimutes then turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Enginebuilder

2006-11-23, 02:39

peformed operations as requested; logfiles follow

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:19:01 PM 11/22/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete c:\windows\system32\ddccccy.dll
c:\windows\system32\ddccccy.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 8:36:41 PM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Useful Programs\Helpful Programs\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147054468\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

LonnyRJones

2006-11-23, 02:44

C:\WINDOWS\system32\llkkj.bak1 < delete that file maunualy

Any problems now ?

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Enginebuilder

2006-11-23, 03:12

A few concerns:
1: one of my USB ports (the one which my adapter was attached to at the beginning of the malware attack) is still not recognizing my wireless adapter.
2: Windows is still not recognizing being connected to the router, even when it is.
3: Explorer.exe seems to have an exceptionally high memory useage? (17.962mb)
4: when I connect my USB adapter, svchost.exe (the one for dns client) runs up to 99% cpu- it does this until I unplug the USB adapter.

LonnyRJones

2006-11-23, 07:20

Download then install avg antirootkit
http://fileforum.betanews.com/detail/AVG_AntiRootkit/1154697799/1
fallow the prompts to restart your pc then run the program and do an indepth search, when its finished press save results and post it in your next reply.

Enginebuilder

2006-11-23, 09:23

no rootkits detected. unable to save logfile, (option greyed-out) presumably because there was nothing detected?

Here's what I've come up with as a work-around for my internet connectivity problems:

1: I had to stop the D-Link 802.11g wireless configuration service "ANIWZCSd"
2: Restart Wireless Zero Configuration Service
3: Enable/Start DHCP service (not sure why this was disabled?!)

after step 2, windows was able to detect the router- after step 3 it was able to connect (sortof)-
It attempted to connect, but was stuck "Aquiring Network Address". I opened task manager, and there was an instance of svchost.exe using 99% of the CPU; I decided to stop the process and I instantly have network connection.

Looking at the Event Viewer, under the System tab, I noticed the following:

"Error: The DNS Client service terminated unexpectedly. It has done this 1 time(s)."
This is presumably the service which was using 99% CPU- When I terminated it via task manager, it created this notification.

The next Event in the list is:
"The system detected that network adapter \DEVICE\TCPIP_{99D9A23A-1499-44FD-9C47-03E8DF3FE33C} was connected to the network, and has initiated normal operation over the network adapter."

I have cleared this event list, and rebooted normally- I have the following errors on startup:

Error Source: Netlogon
Description of Error: "This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration."
*Wtf?!

Error Source: sptd
Error Description: "Driver detected an internal error in its data structures for ."
*This is a system file installed by Daemon Tools, an image drive application. I assume that when I repaired Windows, this driver got removed/deleted or otherwise unregistered; will probably be fixed upon reinstallation of Daemon Tools.

Error Source: Service Control Manager
Error Description:"Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service."
*obvious

Error Source: W32Time
Error Description: "Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)"
*obvious

I also have the following warnings:

Warning Source: Remote Access
Warning Description: "Unable to contact a DHCP server. The Automatic Private IP Address 169.254.215.71 will be assigned to dial-in clients. Clients may be unable to access resources on the network."
*WTF?!

Warning Source: Remote Access
Warning Description: "A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted."
*WTF?!

These Errors/Warnings prompt the following questions:
1: Are the "Remote Access" warnings, in conjunction with the DNS Client/Netlogon problem indicative of further malware infection?
2: Is there a way to reconfigure Netlogon?
3: What would/could be causing the DNS Client malfunction; and/or is there a way to repair/replace/reinstall the service?

LonnyRJones

2006-11-23, 09:41

I assume youve already done the obvious, turn pc Off, unplug router's power source
unplug modem's power source wait 2 minutes plug modem in wait a bit plug router in and turn pc on, ?

The maleware we have tackled here does not couse the problems your having

Enginebuilder

2006-11-23, 09:54

Yeah, tried power cycling both the router, the cable modem and the pc; no effect.. I've perm. disabled the ANI* service, made the WZC service automatic, but everytime I boot the computer, I have to stop the DNS Client service before I can connect to my router...

I'm curious to figure out the problem with the DNS Client.. Are you familiar with any way I could debug this process?

Enginebuilder

2006-11-23, 09:59

At this point, I would like to thank you for your assistance; while I am still experiencing problems with my pc, I do not expect that they are malware related.
Any further assistance you can provide in the continuing repair of my laptop will be greatly appreciated, but I understand if you decide that you need to move on to other, malware-related problems..

-Regards,

Eric

LonnyRJones

2006-12-02, 14:54

Im Glad we could help
Since the malware problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).