PDA

View Full Version : Spybot powers off computer at win32.agent..



zachj
2006-12-18, 23:59
Spybot powers off computer at win32.agent. And something c.toolbar, surfsidekick and system doctor I notice right before win32agent.

I opened the computer case and blew out all the dust and tried the speedswitch program but did not work.

I have run adaware fine and I have AVG antivirus. I recently upgraded to service pack 2 of xp windows, had service pack 1 previously.

I ran chckdsk /F and /R

What do I need to do now?

thanks
Zach

shelf life
2006-12-19, 01:02
hi zachj,

download hjt, dont scan with it yet. also download avg antispyware and scan with that first, reboot computer once then scan with hjt and post the hjt log.

HiJackThis log

* Downloads:
* Please make sure you have the latest version. HJT 1.99.1
* http://www.downloads.subratam.org/hijackthis.zip
* If you are unfamiliar with zip programs get HijackThis.exe here:
* http://www.merijn.org/files/HijackThis.exe

* First put hijackthis into a permanent folder.
* Do this first - go to C: and create a new permanent folder.
Example C:\AntiSpyWare or C:\hijackthis
* This is necessary to ensure you have backups should anything go wrong.
* Then put (or download - choose "save" not "run") the hijackthis.exe file in this folder.
If you downloaded a zipped HJT file unzip it to the permanent folder so you have C:\hijackthis\hijackthis.exe.
* Example of the wrong way:
C:\DOCUME~1\Name\LOCALS~1\Temp\Temporary Directory for hijackthis.zip\HijackThis.exe
* Running hjt from the wrong folder may delay assistance as your helper will have to ask for a new log

* Double click HijackThis.exe.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a "Save Log" button.
* Click that, save the log somewhere, and copy/paste in this thread
a) The HJT log
---------------------------------------------------------------------
download, install update and scan with avg antispyware:

Download ewido anti-spyware. a 30 day trial version. Install, update and run it:

http://www.ewido.net/en/download/

download, install, click on update now

Ewido will download/install the latest def. file

Next:
--> Click on scanner.
-->Run a full system scan
-->ewido will scan.
-->While the scan is in progress you will be prompted to clean files, click OK.
Select Perform action on all infections
-->Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
-->Click Save report.
Save the report to your desktop.
---------------------------------------------------
shelf life

zachj
2006-12-19, 05:31
How do you get hijackthis to save a log file. I hit log file and nothing happens or I have no clue where the file went. I can get it to save a startup log but it doesn't seem this is the same thing.

Zach

shelf life
2006-12-19, 12:22
hi zachj,

Double click HijackThis.exe.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a "Save Log" button.
* Click that, save the log somewhere, and copy/paste in this thread

when you hit save log the log is put in the same folder that hjt is in. but you could save it somewhere else.
------------------------------------
if that dosnt work this time, rename the hjt icon (rightclick on icon>rename) and call it scan.exe then try again.

shelf life

zachj
2006-12-20, 00:41
Ah there we go, had to change the icon name.. here's the log..

Logfile of HijackThis v1.99.1
Scan saved at 2:39:49 PM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\hijackthis\scan.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: (no name) - {0FC1C4CA-3F9D-4548-AF67-50E10FE9685F} - (no file)
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)
O2 - BHO: Internet Explorer Protector - {1B77D30A-81C9-497A-8647-142F7511B1FB} - C:\Program Files\IE Protector\ieprotector.dll
O2 - BHO: (no name) - {380739FB-EB33-8E37-C659-02260E8D29C4} - (no file)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\kxjuwbvm.dll
O2 - BHO: (no name) - {45B70304-6774-6631-26BC-0B328E8CE570} - (no file)
O2 - BHO: (no name) - {48741F83-B50D-4327-9B1B-15F0DF9789FB} - C:\WINDOWS\System32\ddcyw.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [mxwpic.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mxwpic.dll,wealicb
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ysrnkfcd.dll",setvm
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloan.com/CAB/GenClickLoan/1,0,0,12/GenClickLoan.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://chlwholesaletraining.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: ddcyw - C:\WINDOWS\System32\ddcyw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\System32\ssqpm.dll (file missing)
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

shelf life
2006-12-20, 03:22
hi zachj,

good.
look in add/remove programs panle and uninstall Need2Find if its present.

next:

VundoFix by Atri

Please download VundoFix.exe to your desktop.

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
-----------------------------------------------------------------------------
after running vundofix do this:

some of these may be gone after running vundofix, if you dont see one of the items, dont worry:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O2 - BHO: (no name) - {0FC1C4CA-3F9D-4548-AF67-50E10FE9685F} - (no file)
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)
O2 - BHO: (no name) - {380739FB-EB33-8E37-C659-02260E8D29C4} - (no file)

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\kxjuwbvm.dll

O2 - BHO: (no name) - {45B70304-6774-6631-26BC-0B328E8CE570} - (no file)

O2 - BHO: (no name) - {48741F83-B50D-4327-9B1B-15F0DF9789FB} - C:\WINDOWS\System32\ddcyw.dll

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file)

O4 - HKLM\..\Run: [mxwpic.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mxwpic.dll,wealicb

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ysrnkfcd.dll",setvm

O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM

O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: ddcyw - C:\WINDOWS\System32\ddcyw.dll
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\System32\ssqpm.dll (file missing)
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
--------------------------------------------------------------

last: please reboot computer once, rescan with scan.exe (hjt) and post a new log.

shelf life

zachj
2006-12-20, 05:06
Looks like hijack got everything but this one..
O2 - BHO: (no name) - {380739FB-EB33-8E37-C659-02260E8D29C4} - (no file)

Also got this txt error that came up during hijack..

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

And New Hijack log....

Logfile of HijackThis v1.99.1
Scan saved at 6:58:48 PM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\hijackthis\scan.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: (no name) - {08B0A51B-0C50-4B9A-99B5-89AC1E56E533} - C:\WINDOWS\System32\ddcyw.dll (file missing)
O2 - BHO: Internet Explorer Protector - {1B77D30A-81C9-497A-8647-142F7511B1FB} - C:\Program Files\IE Protector\ieprotector.dll
O2 - BHO: (no name) - {380739FB-EB33-8E37-C659-02260E8D29C4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloan.com/CAB/GenClickLoan/1,0,0,12/GenClickLoan.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://chlwholesaletraining.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

shelf life
2006-12-20, 23:22
hi zachj,

good. thanks. looks like hjt couldnt make a backup for some reason, no big deal.
can you post the C:\vundofix.txt.

run hjt again and select to fix:

O2 - BHO: (no name) - {08B0A51B-0C50-4B9A-99B5-89AC1E56E533} - C:\WINDOWS\System32\ddcyw.dll (file missing)

O2 - BHO: (no name) - {380739FB-EB33-8E37-C659-02260E8D29C4} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
--------------------------------------
did you install this software:IE Protector

looks like you have some items not to start with windows by using msconfig?
sure its not malware? unchecking it with msconfig may cause it not to appear in the hjt log.

zachj
2006-12-20, 23:54
oh ya forgot about the vundofix.. and then the new hijack is below that..also I did check off items in the start up such as msn, efax, yahoo etc.


VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 6:32:14 PM 12/19/2006

Listing files found while scanning....

C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\System32\ddcyw.dll
C:\WINDOWS\System32\wycdd.ini
C:\WINDOWS\System32\wycdd.bak1
C:\WINDOWS\System32\wycdd.bak2
C:\WINDOWS\System32\wycdd.ini2
C:\WINDOWS\System32\wycdd.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\mllml.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ddcyw.dll
C:\WINDOWS\System32\ddcyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\wycdd.ini
C:\WINDOWS\System32\wycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\wycdd.bak1
C:\WINDOWS\System32\wycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\wycdd.bak2
C:\WINDOWS\System32\wycdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\wycdd.ini2
C:\WINDOWS\System32\wycdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\wycdd.tmp
C:\WINDOWS\System32\wycdd.tmp Has been deleted!

Performing Repairs to the registry.
Done!


New Hijack log..

Logfile of HijackThis v1.99.1
Scan saved at 1:51:48 PM, on 12/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\WINPOINT\winpoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\scan.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: Internet Explorer Protector - {1B77D30A-81C9-497A-8647-142F7511B1FB} - C:\Program Files\IE Protector\ieprotector.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloan.com/CAB/GenClickLoan/1,0,0,12/GenClickLoan.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://chlwholesaletraining.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

shelf life
2006-12-21, 02:15
hi zachj,

that last log looks good. if all is well, i leave you with this:

Be careful of what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Learn more about the program, Does it come bundled with other "3rd party" programs? What do they do? If you search hard enough you can always find a "clean" alternative to any software. Check this database:Spyware Guide (http://www.spywareguide.com/) or this: Library (http://research.sunbelt-software.com/Browse_Library.cfm)before installing free/shareware.

Make sure you keep your Windows OS/Browser current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)
occasionaly to download and install any critical updates and service packs. These will patch flaws/bugs that can be exploited.

Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Working with Internet Explorer 6 Security (http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx) Use XP? consider using IE 7.0
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser. You can have and use more than one browser on your computer.
Like Firefox (http://www.mozilla.org/products/firefox/) or Opera (http://www.opera.com/index.dml)
Visit these excellent websites to have your browser tested. Jason Levines Toolbox (http://www.jasons-toolbox.com/BrowserSecurity/) or Browser Security Check (http://bcheck.scanit.be/bcheck/)


Install a Firewall:A firewall will help to control what comes in from the internet and what leaves your computer to the internet. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. Its important to know/learn what routinely needs a internet connection.
Zone Alarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zass)
OutPost Lite (http://www.agnitum.com/products/outpostfree/download.php)
Jetico Personal Firewall (http://www.jetico.com/index.htm#/jpfirewall.htm)
Look n Stop (http://www.looknstop.com/En/index2.htm)

Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser, but this was the old Outlook Express. Service Pack 2 has made huge improvements to Outlook, but just like with Internet Explorer, you dont have to use it.
try Pegasus E-Mail. (http://www.pmail.com/)

Make sure you have and keep updated Antivirus software
Free for home users:
avast! 4 Home Edition Download (http://www.avast.com/eng/free_virus_protectio.html)
AVG free version 7.0 (http://free.grisoft.com/freeweb.php/doc/2/)
AntiVir Personal Edition (http://www.free-av.com/)
Clam Win (http://www.Clamwin.com/component/option,com_frontpage/Itemid,1/)

Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
SuperAntiSpyware (http://www.superantispyware.com/)
Avg AntiSpyware (http://free.grisoft.com/doc/1)
Spybot Search and destroy (http://www.safer-networking.org/en/index.html)
Ad-Aware SE Personal edition (http://www.lavasoft.de/)
Microsoft Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
CounterSpy (http://www.sunbelt-software.com/)

Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" (http://www.spywarewarrior.com/rogue_anti-spyware.htm) programs that "claim to remove" spyware.Check here first.


AntiTrojan software to fill in the gap:
a2 free (http://www.emsisoft.com/en/software/free/)
Ewido Anti-Spyware (http://www.ewido.net/en/)
Trojan Hunter (http://www.misec.net/)
Tauscan trial version (http://www.agnitum.com/products/tauscan/)

Other programs to consider:
Process Guard (http://www.diamondcs.com.au/processguard/) stop events/processes with user intervention
SpywareBlaster (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49) add security to IE
IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD) adds adware peddlers sites/domains to IE restricted zone
ATF cleaner (W2K,XP only) (http://www.atribune.org/content/view/25/2/) cleans out temp files,history, cookies etc.

Learn More:
Test Your Browser (http://www.jasons-toolbox.com/BrowserSecurity/)
Parasite Free (http://www.doxdesk.com/parasite/prevention.html)
Safe Hex (http://www.claymania.com/safe-hex.html)
Shelf Lifes page (http://security-central.us/SafeHex/index.htm)
Browser Security Checkup (http://bcheck.scanit.be/bcheck/)

zachj
2006-12-21, 03:55
Wow, well all that and it still didn't work! Spybot still powers off my computer at win32.agent and then automatically restarts with a file system check. What's the dealio?

Also that "updates are ready for your computer" thing I refuse to let go because every time it jacks up my computer in one way or another. Screwed up my outlook express bigtime and took 3days to fix. My internet explorer runs really slow, firefox runs really slow, and its not my internet connection because the other computer works fine.

shelf life
2006-12-21, 04:52
hi zachj,

last log looks ok. spybot never completes a scan?
try doing a spybot scan in safe mode. to reach safe mode, tap the f8 key during a computer reboot, chose the first option: safe mode. once in safe mode run spybot and this time after it scans if it completes save the report like this: (also while in safe mode run avg antivirus and see if it flags anything)

On the toolbar menu select mode and switch to advanced mode. on the left....lower down, select tools,then>> at top>view report. Ensure all the options are selected near the bottom except [ ]dont check: do not report disabled or known legitimate Items, then select(near the top) view report. Press export, in the save in box choose a place such as your my documents folder,or desktop then copy/paste that log in next reply.


shelf life

zachj
2006-12-22, 02:17
Hey why did my last post get deleted? I posted that all this did not work and spybot still powers off my computer at win32.agent?

Zach

zachj
2006-12-22, 23:35
oops ignore my last post, i didn't see that it went over to page 2. I will try what you suggested but i remember trying to go to safe mode and it would not open the desktop screen, I had to go to safe mode networking to get in and even still then spybot was powering off the computer.

Zach

zachj
2006-12-23, 03:17
Ok ran sypbot in safemode and same thing, computer powers off at win32 agent. Spyhunter came up on the checklist right before it shut down.

Ran AVG and here's the log...

"General properties",""
"Report name","Complete Test"
"Start time","12/22/2006 3:28:52 PM"
"End time","12/22/2006 4:44:02 PM (total: 1:15:10.1 hrs)"
"Launch method","Scanning launched manually"
"Scanning result","Threats found"
"Report status","Scanning completed successfully"
" ",""
"Object summary",""
"Scanned","66754"
"Threats Found","3"
"Cleaned","0"
"Moved to vault","0"
"Deleted","2"
"Errors","0"
"Boot sector of disk C:","Change","Changed"
"C:\WINDOWS\System32\kernel32.dll","Change","Changed"
"C:\WINDOWS\System32\wsock32.dll","Change","Changed"
"C:\WINDOWS\System32\user32.dll","Change","Changed"
"C:\WINDOWS\System32\shell32.dll","Change","Changed"
"C:\WINDOWS\System32\ntoskrnl.exe","Change","Changed"
"C:\WINDOWS\System32\drivers\etc\hosts","Change","Changed"
"C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt","Virus found SpySheriff","Infected"
"C:\Documents and Settings\Owner\Local Settings\Temp\sbuwhhux.dll","","Deleted"
"C:\Documents and Settings\Owner\Local Settings\Temp\pypwmsid.dll","","Deleted"


So it removed 2 viruses and the 3rd one Spy Sheriff it couldn't remove..

shelf life
2006-12-24, 04:17
hi zachj,

Download SmitfraudFix (by S!Ri) to your Desktop.
.zip version:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

.exe version:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
(No need to extract, just run the exe)
--------------------------------------------
Open the SmitfraudFix folder on your desktop and double-click smitfraudfix.cmd

* Select option #1 - Search by typing 1 and press Enter
* This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

after you run it please post the log from the smitfraud fix.

shelf life

tashi
2007-01-04, 01:24
This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

tashi
2007-01-08, 06:03
Re-opened upon request.

zachj
2007-01-08, 22:17
Results from smitfraud...

SmitFraudFix v2.132

Scan done at 18:42:02.67, Sun 01/07/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OWNER\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Virus-Bursters\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

shelf life
2007-01-09, 01:53
hi zachj,

ok thanks for the info. please continue with the rest of the smitfraud fix.

i would copy/paste this into notepad and save it somewhere so you can read it in while in safe mode:
----------------------------------------------------------
5) Reboot your computer in Safe Mode.

* If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe Mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* Login on your usual account.

_____________________

6) Clean out your Temporary Internet files. Proceed like this:

* Quit Internet Explorer and quit any instances of Windows Explorer.
* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete Files under Temporary Internet Files.
* In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
* On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
* Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
* Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin
__________________________

Warning: running option #2 on a non infected computer will remove your Desktop background.

7) #2 - SmitfraudFix Clean

* Extract all the files to your Desktop. A folder named SmitfraudFix will be created there.
* Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
* Select option #2 - Clean by typing 2 and press Enter.
* Wait for the tool to complete and disk cleanup to finish.
* You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
* The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
* A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually, and reboot back into Safe Mode

____________________________

8) Open Spybot-S&D

* Close all browsers, check for problems and fix everything found in red
* Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except:
* Uncheck[ ] do not report disabled or known legitimate Items.
* Uncheck[ ] Include a list of services in report.
* Now select (near the top) view report.
* Press export in the save in box, choose a place such as My Documents folder and save the report there.

Close Spybot-S&D
_____________________________

9) Reboot back into Windows. (Normal Mode)

* Double click HijackThis.exe.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a "Save Log" button.
* Click that, save the log somewhere.


Copy/paste into your own new topic.

* c:\rapport.txt
* The HJT log


shelf life

zachj
2007-01-09, 03:21
ok got to step 8 and once again spybot powered off the computer at win32.agent. Just before win32 there was a slew of spyware items. What is this win32.agent thing all about?

I did get a new rapport log from smitfraud just in case...

SmitFraudFix v2.132

Scan done at 17:01:03.93, Mon 01/08/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

shelf life
2007-01-10, 02:29
hi zachj,

ok thanks for the info. not sure whats going on with spybot. lets do this:
one more download to get update and run.:
---------------------------------------------
Download AVG Anti-Spyware and save that file to your
desktop.

http://www.ewido.net/en/download/

This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition
files.
On the main screen select the icon "Update" then select the "
Update now" link.
Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of
the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then
select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet.

boot your computer into safe mode like you did before

once in safe mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware, and run a full scan.
IMPORTANT: Do not open any other windows or
programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab
then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little
time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all
actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the
screen and save it to a text file on your system (make sure to remember where
you saved that file, this is important).
Close AVG Anti-Spyware and Reboot in Normal Mode.

please post the saved avg report. also since its been awhile please rescan and post a new hjt log. once it all looks good we will come back to the spybot problem.

shelf life

PS: if there are alot of cookies in the avg report you can edit them out to keep it shorter.....thanks

zachj
2007-01-10, 05:14
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:56:40 PM 1/9/2007

+ Scan result:



C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081150.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081152.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Application Data\Install.dat -> Adware.Bravesent : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Application Data\Install.dat -> Adware.Bravesent : Cleaned with backup (quarantined).
HKU\S-1-5-21-373023368-1483638691-2528199300-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP633\A0063612.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP632\A0062577.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081151.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsiD3.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nso9FE.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsp12E.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsp307.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsv55.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\temp\nsw2E5.tmp\DetectionProcessus.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081144.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081145.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081146.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081147.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP639\A0081148.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP637\A0075899.exe -> Backdoor.Small.nk : Cleaned with backup (quarantined).
C:\command.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP647\A0096637.exe -> Downloader.Zlob : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP637\A0075902.EXE -> Trojan.FirePass.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP637\A0075903.EXE -> Trojan.FirePass.e : Cleaned with backup (quarantined).


::Report end


HI Jack log in next post..

zachj
2007-01-10, 05:15
Logfile of HijackThis v1.99.1
Scan saved at 7:00:57 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\scan.exe.exe

O2 - BHO: Internet Explorer Protector - {1B77D30A-81C9-497A-8647-142F7511B1FB} - C:\Program Files\IE Protector\ieprotector.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloan.com/CAB/GenClickLoan/1,0,0,12/GenClickLoan.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://chlwholesaletraining.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

shelf life
2007-01-11, 03:30
hi zachj,

ok good, thanks for the info. your spybot has been updated recently? i see you have trojan hunter, does it flag anything? avg found alot of stuff in your system restore files, which we can get rid of like this:

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot. (will delete possibly infected restore points)

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

4. Reboot (new clean restore point)

also please delete the quarantined files from avg.

last: attempt to run spybot again. just trying to make sure its not malware causing the shutdown.

shelf life

zachj
2007-01-11, 05:02
Ok I did all that then I ran spybot in safe mode and it still shut down at win32.agent. I ran it again and did stop check right before it got to win32.agent and I ran a report result which is below and let it fix all the items. I notice an item named web-nexus right before win32.agent, and before that items such as virus-blast, trojan shield, true sword, trojan hunter, spy sheriff, spy doctor, spy destroy, adware-patrol, spy axe, killspy, etc. etc.

Here's the spybot results..

Advertising.com: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CoreMetrics: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


FastClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


User abort!: Scan was not completed successfully. ()



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-11-19 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-15 Includes\Malware.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
2006-12-15 Includes\Cookies.sbi (*)
2006-12-15 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-15 Includes\TrojansC.sbi (*)
2006-12-15 Includes\SpybotsC.sbi (*)
2006-12-15 Includes\SecurityC.sbi (*)
2006-12-15 Includes\PUPSC.sbi (*)
2006-12-15 Includes\MalwareC.sbi (*)
2006-12-15 Includes\KeyloggersC.sbi (*)
2006-12-15 Includes\HijackersC.sbi (*)
2006-12-15 Includes\DialerC.sbi (*)

zachj
2007-01-12, 03:05
any more hope on this one?

shelf life
2007-01-12, 04:09
hi zachj,

ok thanks. one more download to run.

Download - rustbfix.exe ...and save it to your desktop:

http://www.uploads.ejvindh.net/rustbfix.exe

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

shelf life

zachj
2007-01-12, 05:06
************************* Rustock.b-fix -- By ejvindh *************************
Thu 01/11/2007 19:04:40.95

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

shelf life
2007-01-13, 03:16
hi zachj,

good thanks for the info, just trying to rule malware out as the reason why spybot shuts down.

i want to confirm something from the smitfraud log. please download and run combofix.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

zachj
2007-01-13, 05:19
"Owner" - 07-01-12 19:12:18 Service Pack 2
ComboFix 07-01-12 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dlh9jkd1q8.exe
c:\command.com
C:\WINDOWS\s32.txt
C:\WINDOWS\ws386.ini
C:\WINDOWS\Downloaded Program Files\WebEx
C:\Program Files\Common Files\{34401~1
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\psdream
C:\WINDOWS\system32\components
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Owner
C:\qoobox\purity\DOCUME~1\Owner\My Documents
C:\qoobox\purity\DOCUME~1\Owner\My Documents\from.txt
C:\qoobox\purity\DOCUME~1\Owner\My Documents\CROSOF~1.NET


((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))


2007-01-11 19:04 <DIR> d-------- C:\Rustbfix
2007-01-10 18:06 <DIR> d--hs---- C:\FOUND.000
2007-01-09 16:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-07 18:42 3,176 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-07 18:41 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-07 18:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-07 18:41 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-07 18:41 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-07 18:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-07 18:41 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-20 18:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-12-20 18:29 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Active Disk
2006-12-20 18:25 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-12-20 18:24 <DIR> d-------- C:\Program Files\Iomega
2006-12-20 18:23 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Leadertech
2006-12-20 17:16 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\TrojanHunter
2006-12-20 17:15 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2006-12-20 17:01 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-20 17:00 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-19 18:32 <DIR> d-------- C:\VundoFix Backups
2006-12-19 18:26 81,684 --a------ C:\WINDOWS\system32\ofopxbgk.dll
2006-12-18 23:04 <DIR> d-------- C:\Program Files\eFax Messenger 4.2
2006-12-18 23:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\eFax Messenger 4.2 Setup
2006-12-18 19:11 <DIR> d-------- C:\hijackthis
2006-12-18 14:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-17 22:21 <DIR> d--hs---- C:\FOUND.023
2006-12-17 19:38 <DIR> d--hs---- C:\FOUND.022
2006-12-17 16:03 <DIR> d--hs---- C:\FOUND.021
2006-12-17 15:42 <DIR> d--hs---- C:\FOUND.020
2006-12-16 13:29 <DIR> d--hs---- C:\FOUND.019
2006-12-14 10:26 118,804 --a------ C:\WINDOWS\system32\ysrnkfcd.dll
2006-12-13 10:17 <DIR> d--hs---- C:\FOUND.018


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-08 13:24 69670 --a------ C:\WINDOWS\system32\lzx32.sys
2006-12-10 19:21 -------- d-------- C:\Program Files\address book recovery
2006-12-10 13:24 -------- d-------- C:\DOCUME~1\Owner\Application Data\uniblue
2006-12-10 01:57 -------- d-------- C:\Program Files\copy of outlook express
2006-12-09 17:09 -------- d-------- C:\Program Files\uphclean
2006-12-06 23:40 90164 ---hs---- C:\WINDOWS\system32\ddccd.dll
2006-12-06 15:02 -------- d-------- C:\Program Files\eprintv4
2006-12-06 15:01 -------- d-------- C:\Program Files\agentx
2006-12-06 15:00 -------- d-------- C:\Program Files\agentlink
2006-11-24 08:14 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-21 13:14 692276 --a------ C:\WINDOWS\system32\gebcc.dll
2006-11-21 12:11 692276 --a------ C:\WINDOWS\system32\mllmn.dll
2006-11-21 00:25 734369 ---hs---- C:\WINDOWS\system32\mpqss.ini2
2006-11-21 00:24 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-21 00:24 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-21 00:24 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-21 00:24 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-20 23:55 728154 ---hs---- C:\WINDOWS\system32\mpqss.bak2
2006-11-20 00:01 -------- d-------- C:\Program Files\symantec
2006-11-19 23:24 10 --a------ C:\WINDOWS\smdat32m.sys
2006-11-19 16:23 732227 ---hs---- C:\WINDOWS\system32\mpqss.bak1
2006-11-19 15:15 7408 --a------ C:\WINDOWS\system32\start2.exe
2006-11-19 15:13 24 --a------ C:\WINDOWS\koxks.dll
2006-11-15 16:57 0 --a------ C:\WINDOWS\dmffo4kd.exe
2006-11-15 00:14 35328 --a------ C:\ohsrdx.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IPPDetect"="IPP4Detect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"eFax 4.2"="\"C:\\Program Files\\eFax Messenger 4.2\\J2GDllCmd.exe\" /R"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AOL Companion.lnk"
"backup"="C:\\WINDOWS\\pss\\AOL Companion.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AOLCOM~1\\COMPAN~1.EXE /s"
"item"="AOL Companion"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax 4.2.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax 4.2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.2\\J2GTray.exe "
"item"="eFax 4.2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax DllCmd 3.5.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax DllCmd 3.5.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.5\\J2GDLL~1.EXE /R"
"item"="eFax DllCmd 3.5"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax Tray Menu 3.5.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax Tray Menu 3.5.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.5\\J2GTray.exe "
"item"="eFax Tray Menu 3.5"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SmartUI.lnk"
"backup"="C:\\WINDOWS\\pss\\SmartUI.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Scansoft\\PAPERP~1\\SmartUI\\SmartUI.exe "
"item"="SmartUI"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PaperMaster Live Menu 7.0.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PaperMaster Live Menu 7.0.lnk"
"backup"="C:\\WINDOWS\\pss\\PaperMaster Live Menu 7.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PAPERM~1.0\\J2GDLL~1.EXE /R /K \"C:\\Program Files\\PaperMaster Pro 7.0\\J2GPfcW.dll\",JSPFCWSetHooking,1,0,0,0"
"item"="PaperMaster Live Menu 7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PaperMaster Tray Menu 7.0.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PaperMaster Tray Menu 7.0.lnk"
"backup"="C:\\WINDOWS\\pss\\PaperMaster Tray Menu 7.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PAPERM~1.0\\J2GTray.exe "
"item"="PaperMaster Tray Menu 7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="J2GDllCmd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\eFax Messenger 4.1\\J2GDllCmd.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="J2GDllCmd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\eFax Messenger 4.2\\J2GDllCmd.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IndexSearch"
"hkey"="HKLM"
"command"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort 8.0 SE Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navLoad"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Scansoft\\PaperPort\\WebEreg\\NAVBrowser.exe\" -r \"C:\\Program Files\\Scansoft\\PaperPort\\WebEreg\\navLoad.ini\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pptd40nt"
"hkey"="HKLM"
"command"="C:\\Program Files\\Scansoft\\PaperPort\\pptd40nt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PlaxoHelper"
"hkey"="HKCU"
"command"="C:\\Program Files\\Plaxo\\2.11.1.5\\PlaxoHelper.exe -a"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SemanticInsight"
"hkey"="HKLM"
"command"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PnPDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\NewSoft\\Smart Start UP\\PnPDetect.exe /Automation "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\control panel\load]
"forwas"=hex:15,26,db,fb,69
"cryptpa"=hex:21,df,db,f4,20

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"system"="C:\\WINDOWS\\csrss.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061220-134953-230
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
backup-20061220-134953-284
O2 - BHO: (no name) - {08B0A51B-0C50-4B9A-99B5-89AC1E56E533} - C:\WINDOWS\System32\ddcyw.dll (file missing)
backup-20061220-134953-450
O2 - BHO: (no name) - {380739FB-EB33-8E37-C659-02260E8D29C4} - (no file)
backup-20061219-185747-172
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
backup-20061219-185746-141
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\System32\ssqpm.dll (file missing)
backup-20061219-185644-800
O4 - HKLM\..\Run: [mxwpic.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mxwpic.dll,wealicb
backup-20061219-185644-334
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
backup-20061219-185644-462
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ysrnkfcd.dll",setvm
backup-20061219-185644-216
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
backup-20061219-185644-953
O18 - Filter: text/html - (no CLSID) - (no file)
backup-20061219-185644-228
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\kxjuwbvm.dll
backup-20061219-185644-601
O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file)
backup-20061219-185644-511
O2 - BHO: (no name) - {45B70304-6774-6631-26BC-0B328E8CE570} - (no file)
backup-20061219-185644-833
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)
backup-20061219-185644-468
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
backup-20061219-185644-542
O2 - BHO: (no name) - {0FC1C4CA-3F9D-4548-AF67-50E10FE9685F} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-12 19:15:37

shelf life
2007-01-14, 00:33
hi zachj,

good, thanks for the info. you hanging in there? please try to run spybot now.

can you tell me anything that dosnt seem right with your computer, other than spybot terminating?
-------------------------------------
please download AVG anti-rootkit beta from here:

http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml

click the downloaded file to install.
after a reboot click the icon to start the scanner. click "perform in-depth search" button
after scanning is done click the "save result to file"
Save In: desktop, or anywhere you can find it.
File Name: avg scan or whatever. add the extension .txt to end (avg scan.txt)
please post saved log in post.

zachj
2007-01-15, 01:10
Wow well thanks a lot spybot ran through sucessufully! I thought the combofix was just running a log, didn't think it actually did anything. Or maybe spybot running through was just a fluke, hope not. Looks like it picked up some win32.agent items.

Anyhow I ran the avg anti-root and nothing was found. As far as anything else wrong with the computer, it just runs a bit slow, especially the internet connection at times. I have highspeed internet but it is an older computer with low memory capacity.

Results from sypbot....

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan

Win32.Agent.baf: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\system=...C:\WINDOWS\csrss.exe...

Win32.Agent.baf: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\csrss.exe

Advertising.com: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CoreMetrics: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


FastClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-11-19 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
2006-12-22 Includes\Malware.sbi (*)
2007-01-05 Includes\Cookies.sbi (*)
2007-01-05 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-01-05 Includes\TrojansC.sbi (*)
2007-01-05 Includes\SpybotsC.sbi (*)
2007-01-05 Includes\SecurityC.sbi (*)
2007-01-05 Includes\PUPSC.sbi (*)
2007-01-05 Includes\MalwareC.sbi (*)
2007-01-05 Includes\KeyloggersC.sbi (*)
2007-01-05 Includes\HijackersC.sbi (*)
2007-01-05 Includes\DialerC.sbi (*)

shelf life
2007-01-16, 00:55
hi zachj,

good. those spybot items just look like leftover registry entries,
please post one more hjt log.

shelf life

zachj
2007-01-16, 02:32
Hijack log...


Logfile of HijackThis v1.99.1
Scan saved at 4:31:25 PM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINPOINT\winpoint.exe
C:\Program Files\internet explorer\iexplore.exe
C:\hijackthis\scan.exe.exe

O2 - BHO: Internet Explorer Protector - {1B77D30A-81C9-497A-8647-142F7511B1FB} - C:\Program Files\IE Protector\ieprotector.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloan.com/CAB/GenClickLoan/1,0,0,12/GenClickLoan.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://chlwholesaletraining.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

shelf life
2007-01-17, 01:44
hi zachj,

log looks good. lets check this:
go to start>run and type in--> services.msc,<--in the list of services that comes up, under the name column look for>> Microsoft authenticate service<<

right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled
-------------------
next see if you can locate the file in the:
C:\WINDOWS\System32 dir and delete it

shelf life

zachj
2007-01-17, 02:33
Wait so I should delete the system32 Folder under Windows? There's a lot of items in there. Are you sure?

shelf life
2007-01-18, 03:43
hi zachj,


Wait so I should delete the system32 Folder under Windows? There's a lot of items in there. Are you sure?


no, my mistake.
i left the file off of the post. we want to look for and delete if present only this file:
msasvc.exe
in the C:\WINDOWS\System32 dir

zachj
2007-01-18, 04:03
Wow good thing I didn't delete that folder I guess.

That file msasvc.exe is not present.


Zach

shelf life
2007-01-18, 04:15
hi zachj,

its a needed windows OS dir. windows wouldnt let you delete it. good, you didnt find that .exe. hows it all looking on your end now?

shelf life

zachj
2007-01-18, 06:17
Ya the computer is just old and a bit slow, i think its workin better now, outlook is not blocking emails im sending out anymore so that's good. spysheriff popped up as a virus automatically from AVG recently and I hit heal, it didn't heal so I chose move to vault. If I have anything in the AVG vault should I delete those out?

Zach

shelf life
2007-01-19, 03:40
hi zachj,

yes you can clean out the vault or quarintined items if you want. the smitfraudfix should of took care of spysheriff. maybe its flagging a stray leftover. is it happening alot?

shelf life

zachj
2007-01-19, 04:17
It just popped up yesterday in the middle of running spybot that's it..

shelf life
2007-01-20, 21:18
hi zachj,

sorry for the delay in responding.
you get the pop up from AVG, only when your scanning with Spybot?
does avg provide the location of the file?

zachj
2007-01-26, 05:51
Sorry about that, I think it was just a one time thing it hasn't popped up again while running spybot.

One other thing though, if I leave my computer for maybe 10-15minutes I come back and the screen is black as if the monitor is off, but the monitor is in fact on and I move the mouse around and hit keys and the screen doesn't come back up. I have to manually press off on the hardrive and then manually turn it back on which is obviously not good. Any idea?

shelf life
2007-01-30, 02:24
hi zachj,

sounds like it is not coming out of stand by mode? have you poked around in the power options panel to check settings?

shelf life

zachj
2007-01-30, 02:44
Looks like everything was set to turn off after about 20minutes, i changed it to the default setting for desktop which put it to "never" except for the monitor.

thanks for all the help!

shelf life
2007-02-02, 02:48
hi zachj,

glad to help. happy safe surfing.

shelf life

tashi
2007-02-12, 19:07
Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.