Help with Smitfraud and ??

continued....
Spyware:Cookie/PointRoll Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@mediaplex[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\Profiles\Ken\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\Profiles\Ken\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\Profiles\Ken\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\WINNT\Profiles\Ken\Desktop\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\Profiles\Ken\Desktop\VirtumundoBeGone.exe
Virus:Generic Trojan Disinfected C:\WINNT\Profiles\LocalService\Local Settings\Temp\~tmp143
Virus:Trj/Downloader.LAF Disinfected C:\WINNT\system32\ldcoreno
Virus:Trj/Downloader.LAF Disinfected C:\WINNT\system32\ldcoreno2
Adware:Adware/DigInk Not disinfected C:\WINNT\uninst1014.exe
Adware:Adware/DigInk Not disinfected C:\WINNT\uni_eh44.exe
 
I went ahead and ran combofix again per your instructions. I had to do it from the Ken Profile becuase I still have not figured out how to get in as ADMIN unless Im in Safe mode. I figured I can run it again as ADMIN once I figure out how to get in. Here is the log:

ComboFix 07-07-30.2 - "Ken" 2007-08-05 17:33:20.3 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
Command switches used :: C:\WINNT\Profiles\Ken\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Del.js
C:\WINNT\uni_eh44.exe
C:\WINNT\uninst1014.exe


((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))


2007-08-05 14:33 <DIR> d-------- C:\WINNT\Profiles\Ken\.housecall6.6
2007-08-05 12:36 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-08-02 16:15 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\SUPERAntiSpyware.com
2007-08-02 16:15 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-02 16:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-02 16:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 11:56 <DIR> d-------- C:\Program Files\CCleaner
2007-07-31 14:23 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 14:01 <DIR> d-------- C:\WINNT\ERUNT
2007-07-30 14:57 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-07-30 14:57 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:41 3,596 --a------ C:\WINNT\system32\tmp.reg
2007-07-29 15:08 <DIR> d-------- C:\WINNT\Profiles\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-07-29 12:38 <DIR> d-------- C:\Program Files\HijackThi
2007-07-29 11:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-07-28 23:42 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-28 14:50 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 17:33 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\WinRAR


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 13:53 --------- d-------- C:\Program Files\QuickTime
2007-08-05 13:51 --------- d-------- C:\Program Files\Messenger
2007-08-05 13:46 --------- d-------- C:\Program Files\Google
2007-08-02 20:24 --------- d-a------ C:\Program Files\Windows NT
2007-07-31 14:26 --------- d-a------ C:\Program Files\Toshiba
2007-01-25 18:59 16400 --a------ C:\WINNT\Profiles\Ken\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-03-21 14:05 271 ---hs---- C:\Program Files\desktop.ini
2003-03-21 14:05 21952 --ah----- C:\Program Files\folder.htt
2006-02-25 03:17:03 75 -csh--w C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
2004-07-23 16:23:22 56 -csh--r C:\WINNT\system32\1E9308E591.sys
2006-07-29 23:36:17 1,682 -csha-w C:\WINNT\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-02-04 11:01]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2000-07-10 12:34]
"PROMon.exe"="Promon.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-06 17:35]
"Synchronization Manager"="mobsync.exe" [2001-08-23 10:00 C:\WINNT\system32\mobsync.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-23 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-23 10:52]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe" [2006-09-25 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 09:04]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-23 10:49:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R2 ASCTRM;ASCTRM;C:\WINNT\System32\drivers\ASCTRM.sys
R2 Isecdrv;ISECDRV;C:\WINNT\System32\drivers\Isecdrv.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINNT\System32\tcpsvcs.exe
R3 brfilt;Brother MFC Filter Driver;C:\WINNT\System32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\System32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\System32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINNT\System32\Drivers\BrSerWdm.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINNT\System32\DRIVERS\i81xnt5.sys
R3 mf;mf;C:\WINNT\System32\DRIVERS\mf.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 wanatw;WAN Miniport (ATW);C:\WINNT\System32\DRIVERS\wanatw4.sys
S1 TAPM_NT;TAPM_NT;C:\WINNT\System32\drivers\TAPM_NT.sys
S1 vrfyflp;Floppy disk verify driver;C:\WINNT\System32\drivers\vrfyflp.sys
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
S2 Scsiprnt;Scsiprnt;C:\WINNT\System32\drivers\Scsiprnt.sys
S3 iAimFP0;iAimFP0;C:\WINNT\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINNT\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINNT\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINNT\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINNT\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINNT\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINNT\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINNT\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINNT\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINNT\System32\DRIVERS\wCh7xxNT.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 TBiosDrv;TBiosDrv;\??\C:\WINNT\System32\drivers\TBiosDrv.sys
S4 i81xnt4;i81xnt4;C:\WINNT\System32\DRIVERS\i81xnt4.sys
S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINNT\System32\DRIVERS\lkbdfltr.sys
S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINNT\System32\DRIVERS\lmoufltr.sys
S4 lsermous;Logitech Serial Mouse Driver;C:\WINNT\System32\DRIVERS\lsermous.sys

*Newly Created Service* - TMCOMM

Contents of the 'Scheduled Tasks' folder
2007-08-05 07:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 17:35:57
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-05 17:37:32
C:\ComboFix-quarantined-files.txt ... 2007-08-05 17:36
C:\ComboFix2.txt ... 2007-08-02 11:51
C:\ComboFix3.txt ... 2007-07-31 14:35

--- E O F ---
 
Hi Ken

Ken said:
I do see the appwiz.cpl file in C:\WINNT\system32. I do not see rundll32.exe Like I said, there is a blank space in that file where the icon for rundll32.exe should be.

Further, on the control panel, when I click user accounts, I get the same error message about windows not being able to find rundll32.exe.
Click to expand...

rundll32.exe is required to run all dll files & cpl files ...

As yours is missing, lets see if we can resolve this first by replacing it...

you need to paste a copy of the rundll32.exe file into the C:\WINNT\system32 folder..

see if you have an i386 folder (these contain your backup files)

in either of these locations :-

C:\Winnt\I386

C:\I386

If you have, then look for the file rundll32.exe & if you find it, right click on it & copy ... then go to your system32 folder ... right click & paste

if the file looks like this rundll32.ex_ then you can't copy & paste it, it will have to be expanded ... let me know.


Ken said:
I do not how to get into the ADmin profile. It does not give me the choice on boot up and the User accounts link is not working. It does give me the option to boot into admin if I boot in safe mode. can I boot in Safe mode and run the new ComboFix instructions from there? If not, how else can I log in as Admin?
Click to expand...

It's only Ccleaner I wanted you to run on the ADMINISTRATOR profile... so forget that for now...


Ken said:
Here is the Panda Active scan log. It did not let me get rid of everything without paying. I also ran Trend MicroHousecall, and got rid of whatit found, but it did not really give me a log.
Click to expand...

That's OK ... I just wanted to see the log, we can get rid of anything from the log without you having to pay...
-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code: 
File::
C:\Program Files\codec_setup.exe

Folder::
C:\QooBox
C:\SDFix

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply ...

steam
 
steamwiz said:
Hi Ken
if the file looks like this rundll32.ex_ then you can't copy & paste it, it will have to be expanded ... let me know.
Click to expand...

This is what I have, so we will have to expand it.

Here is the new COmboFix log:

ComboFix 07-07-30.2 - "Ken" 2007-08-06 14:29:37.4 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
Command switches used :: C:\WINNT\Profiles\Ken\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\codec_setup.exe
C:\QooBox
C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\moveex.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\RegDACL.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\zip.exe
C:\SDFix\backups\attrib.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\find.exe
C:\SDFix\backups\findstr.exe
C:\SDFix\backups\HOSTS
C:\SDFix\backups\regedit.exe
C:\SDFix\backups_old1\attrib.exe
C:\SDFix\backups_old1\backupreg.zip
C:\SDFix\backups_old1\backups.zip
C:\SDFix\backups_old1\find.exe
C:\SDFix\backups_old1\findstr.exe
C:\SDFix\backups_old1\HOSTS
C:\SDFix\backups_old1\regedit.exe
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\Report_old_1.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url


((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))


2007-08-05 14:33 <DIR> d-------- C:\WINNT\Profiles\Ken\.housecall6.6
2007-08-05 12:36 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-08-02 16:15 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\SUPERAntiSpyware.com
2007-08-02 16:15 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-02 16:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-02 16:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 11:56 <DIR> d-------- C:\Program Files\CCleaner
2007-07-31 14:23 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 14:01 <DIR> d-------- C:\WINNT\ERUNT
2007-07-30 14:57 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-07-30 14:57 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:41 3,596 --a------ C:\WINNT\system32\tmp.reg
2007-07-29 15:08 <DIR> d-------- C:\WINNT\Profiles\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-07-29 12:38 <DIR> d-------- C:\Program Files\HijackThi
2007-07-29 11:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-07-28 14:50 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 13:53 --------- d-------- C:\Program Files\QuickTime
2007-08-05 13:51 --------- d-------- C:\Program Files\Messenger
2007-08-05 13:46 --------- d-------- C:\Program Files\Google
2007-08-02 20:24 --------- d-a------ C:\Program Files\Windows NT
2007-07-31 14:26 --------- d-a------ C:\Program Files\Toshiba
2007-07-05 17:33 --------- d-------- C:\WINNT\Profiles\Ken\APPLIC~1\WinRAR
2007-01-25 18:59 16400 --a------ C:\WINNT\Profiles\Ken\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-03-21 14:05 271 ---hs---- C:\Program Files\desktop.ini
2003-03-21 14:05 21952 --ah----- C:\Program Files\folder.htt
2006-02-25 03:17:03 75 -csh--w C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
2004-07-23 16:23:22 56 -csh--r C:\WINNT\system32\1E9308E591.sys
2006-07-29 23:36:17 1,682 -csha-w C:\WINNT\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-02-04 11:01]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2000-07-10 12:34]
"PROMon.exe"="Promon.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-06 17:35]
"Synchronization Manager"="mobsync.exe" [2001-08-23 10:00 C:\WINNT\system32\mobsync.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-23 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-23 10:52]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe" [2006-09-25 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 09:04]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-23 10:49:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R2 ASCTRM;ASCTRM;C:\WINNT\System32\drivers\ASCTRM.sys
R2 Isecdrv;ISECDRV;C:\WINNT\System32\drivers\Isecdrv.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINNT\System32\tcpsvcs.exe
R3 brfilt;Brother MFC Filter Driver;C:\WINNT\System32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\System32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\System32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINNT\System32\Drivers\BrSerWdm.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINNT\System32\DRIVERS\i81xnt5.sys
R3 mf;mf;C:\WINNT\System32\DRIVERS\mf.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 wanatw;WAN Miniport (ATW);C:\WINNT\System32\DRIVERS\wanatw4.sys
S1 TAPM_NT;TAPM_NT;C:\WINNT\System32\drivers\TAPM_NT.sys
S1 vrfyflp;Floppy disk verify driver;C:\WINNT\System32\drivers\vrfyflp.sys
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
S2 Scsiprnt;Scsiprnt;C:\WINNT\System32\drivers\Scsiprnt.sys
S3 iAimFP0;iAimFP0;C:\WINNT\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINNT\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINNT\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINNT\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINNT\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINNT\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINNT\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINNT\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINNT\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINNT\System32\DRIVERS\wCh7xxNT.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 TBiosDrv;TBiosDrv;\??\C:\WINNT\System32\drivers\TBiosDrv.sys
S4 i81xnt4;i81xnt4;C:\WINNT\System32\DRIVERS\i81xnt4.sys
S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINNT\System32\DRIVERS\lkbdfltr.sys
S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINNT\System32\DRIVERS\lmoufltr.sys
S4 lsermous;Logitech Serial Mouse Driver;C:\WINNT\System32\DRIVERS\lsermous.sys

*Newly Created Service* - TMCOMM

Contents of the 'Scheduled Tasks' folder
2007-08-06 07:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 14:34:54
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-06 14:36:27
C:\ComboFix-quarantined-files.txt ... 2007-08-05 17:36
C:\ComboFix2.txt ... 2007-08-05 17:37
C:\ComboFix3.txt ... 2007-08-02 11:51

--- E O F ---
 
I need to know the exact location of the i386 folder ?

Assuming it's here :- C:\i386

1. Click Start, and then click Run.
2. In the Open box, type cmd
3. Then click OK.

When the cmd prompt opens type Expand C:\i386\rundll32.ex_ c:\WINNT\system32\rundll32.exe

Note that there is a space between "Expand" and "C:\i386" & between "ex_" and "c:\WINNT\"

If the file is in C:\WINNT\i386

then it would be :-

Expand C:\WINNT\i386\rundll32.ex_ c:\WINNT\system32\rundll32.exe

If it's on a disk, let me know...

steam
 
WEll thanks! That fixed it!

So how are we looking on malware?

I still am having searches in Search engines hijacked. Also, still cannot get to certain websites like this one. PC seams to be running well except for that. Problem is, that must mean we still have issues? Wouldn't ever want to enter any personal information into that computer if I know webpages are being redirected.

Anything else in mind?
 
HOLD ON!! Just tried to get on forums.spybot.info and it LET ME IT!!! WOO HOO!!

Still having the search engine issue though.
 
Hi

The malware appears to be pretty much gone, I still want you to run Ccleaner on the C:\WINNT\Profiles\Administrator\ account... you should be able to get to that account from the control panel now...

Lets see if your dns settings are being hijacked ...

Print out these instructions for reference, since you will have to restart your computer during the fix.

1. Please download FixWareout from here:-

http://downloads.subratam.org/Fixwareout.exe

2. Save it to your desktop and run it.

3. Click Next > then Install > then make sure "Run fixit" is checked and click Finish.

4. The fix will begin, follow the prompts.

5. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load this is normal.

6. When your system reboots (BE patient), follow the prompts. Afterwards, HijackThis may launch. Please Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again, restart if prompted.

Finally, please post the contents of :-

C:\fixwareout\report.txt


steam
 
Steam,

The Admin account simply is not there. All that are listed are Ken and Guest. This is strange because when I boot in safe mode, the admin account is one of my choices. Any ideas why this is? Does it have something to do with how the software was originally set up?

I will continue with the Fixware Out instruction from here and wait for your response.
 
Bad news,

We are also back to the PC killing websites. Can no longer get onto this website, and the new one you gave me is not being allowed eaither. I will try to do it with a floppy.
 
Here is the report from Fixwareout:

Username "Ken" - 2007-08-07 14:05:11 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}
"nameserver"="194.54.90.226" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\\PROGRA~1\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"Pinger"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe"
"PROMon.exe"="Promon.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Synchronization Manager"="mobsync.exe /logon"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1135354199\\ee\\AOLSoftware.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
 
OK, for the mean time, this seems to have fixed 2 issues. I can now do normal searches on both IE and Firefox using google and the like. Also, my outlook email seems to be working right again.

The remaining problem still seems to be the killing of certain websites. For example, at the moment I am on forums.spybot.info and writing you. HOwever, I just tried to access http://downloads.subratam.org/Fixwareout.exe and a few others that you have given me in the past, and they are still saying that they cannot be found. Seems we are doing some good, but the bug is hiding out somewhere.

Ill try and figure out why I cannot log in as ADmin while I wait to hear from you.

Thanks again for all of your help.

Ken
 
HI Ken

Which other links can't you reach ? can you name a few please ?

If you click refresh after getting "the page cannot be displayed" does it connect ?

steam
 
Steam,

FOr the time being at least, it seems that I can now get to any website that I want. I dont know why that changed since my last post, but it has. It seems that all the problems have been fixed. I would really like to give you a sincere thank you for all the help you provided here to me, and everyone else. I dont know how they talk people into doing this for no charge. If there is anyway I can repay you of the community, please let me know.

I dont know if I have dont everything you want me to do for sure yet, but I did want to bring one more thing to your attention. Every time that I have run Spybot recently, it finds the following...

Advertising.com 6 entries
DoubleClick 1
FastClick 3 entries
HitBox 6 entries
MediaPlex 1
WebTrends Live 1
Zedo 6 entries

These are for the most part, the same as I posted in post #24. I have spybot Fix them each time, but they keep re-appearing. I have not been to any websites that would down load this kind of stuff since we have been working together. Should I be concerned, or is something still going on?

Thanks again for all of your help!
 
Hi Ken

The DNS hijack was the most likely cause of your last problem, it probably only required a reboot to clear it totaly...

Advertising.com 6 entries
DoubleClick 1
FastClick 3 entries
HitBox 6 entries
MediaPlex 1
WebTrends Live 1
Zedo 6 entries

These are tracking cookies which everyone picks up all the time, it's all part of surfing...

Installing the MVPS HOSTS file & IE-Spyad will greatly reduce the number that you pick up...

1. IE/Spyad: http://www.spywarewarrior.com/uiuc/resource.htm
2. http://www.mvps.org/winhelp2002/hosts.htm

#1 IE/Spyad will place over 5,000 known bad sites in your "restricted sites" list

#2 the hosts file, will similarly block known bad sites from loading on to your computer by using the hosts file.

Also take a look here :-

So how did I get infected in the first place? by TonyKlein :-

http://forums.spybot.info/showthread.php?t=279

cheers

steam
 
You must log in or register to reply here.
Back
Top