Just checking...

[Bravura]

Hey all, recently I had contracted some major virus through MSN Messenger ("Hey is that your picture?" auto-message thing) and have been spending the last week trying to clean my PC of it.

I think my PC is clean for the most part but just incase I'd like someone more experienced to check it out. (I also ran an on-line Anti Virus scan as stated in one of the stickies, which found nothing.)

Logfile of HijackThis v1.99.1
Scan saved at 8:30:56 PM, on 14/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ggf6379b] RUNDLL32.EXE w0e3ae22.dll,n 005637960000000a0e3ae22
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155676927265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...66/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by125fd.bay125.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

Also, I'm not sure if this is related but everytime I start my PC I get this error:

And ever since the incident I havent been able to acsess Windows Firewall: http://i10.tinypic.com/2hd2q85.jpg, nor Windows Update (All my updates fail on installation.)

Any help will be appreciated, thanks.

[Rawe]

Hello and welcome

Please run a scan with HijackThis and check the following objects for removal:

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [ggf6379b] RUNDLL32.EXE w0e3ae22.dll,n 005637960000000a0e3ae22

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

-----

Navigate to, and delete the following file if present:

C:\WINDOWS\System32\w0e3ae22.dll

(If you can't find it, make sure you can see hidden files, if you cant delete it, boot into Safe Mode and try again. Make sure you rehide hidden files)

Empty recycle bin.

-----

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") to download sharedaccess.reg and save it to your desktop.

• Double-click the file.
• when asked to merge with registry, hit YES.
• The Services entry will be created.
• Please reboot.
• Click Start -> Run and type in: cmd.exe
• On Command Prompt, type NETSH FIREWALL RESET
• Hit Enter.
• Then go to the Control Panel and launch the Windows Firewall again. Try to access your Firewall settings again.

-------

Finally.......

Please download Combofix to your desktop:

• Double-click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

[Bravura]

Awesome, thank you!

Anyways, here is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:35:28 AM, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...lscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155676927265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by125fd.bay125.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

And my Combofix log:

Kev - 06-10-15 11:26:51.54 Service Pack 2
ComboFix 06.10.14.1 - Running from: "C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Dxccwrd.dll
C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Dxcknwrd.dll
C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Dxcuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-15 to 2006-10-15 ))))))))))))))))))))))))))))))))))


2006-10-14 16:11 57,344 --a------ C:\WINDOWS\system32\pavipc.dll
2006-10-14 14:08 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2006-10-14 14:08 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2006-10-12 19:30 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-10-11 20:02 2 --a------ C:\WINDOWS\system32\wintsvcc.exe
2006-10-09 19:02 92,544 --a------ C:\WINDOWS\system32\drivers\av5flt.sys
2006-10-08 14:36 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-10-05 22:29 1,233 --a------ C:\WINDOWS\system32\ggf6379b.sys
2006-10-01 23:06 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-01 23:06 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-01 23:06 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-17 17:51 91,136 -ra------ C:\WINDOWS\system32\msls2.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-15 11:27 -------- d-------- C:\Program Files\Common Files
2006-10-15 11:22 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-15 11:10 -------- d-------- C:\Program Files\hijackthis
2006-10-15 00:19 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Windows Live Safety Center
2006-10-15 00:13 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-14 21:54 -------- d---s---- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Microsoft
2006-10-14 19:02 -------- d-------- C:\Program Files\Windows Defender
2006-10-14 18:54 -------- d-------- C:\Program Files\Internet Explorer
2006-10-14 18:46 -------- d-------- C:\Program Files\BitComet
2006-10-14 16:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 14:08 -------- d-------- C:\Program Files\Common Files\Panda Software
2006-10-09 19:07 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-09 17:44 -------- d-------- C:\Program Files\QuickTime
2006-10-09 17:44 -------- d-------- C:\Program Files\iTunes
2006-10-09 16:21 -------- d-------- C:\Program Files\Outlook Express
2006-10-05 23:14 -------- d-------- C:\Program Files\FFDShow
2006-09-17 18:05 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-25 21:33 -------- d-------- C:\Program Files\Intel
2006-08-25 20:44 -------- d-------- C:\Program Files\Dell
2006-08-25 20:08 -------- d-------- C:\Program Files\Analog Devices
2006-08-25 02:05 -------- d-------- C:\Program Files\Movie Maker
2006-08-24 19:43 -------- d-------- C:\Program Files\Valve
2006-08-21 22:29 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Media Player Classic
2006-08-21 18:41 -------- d-------- C:\Program Files\Java
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 19:18 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\AdobeUM
2006-08-16 12:00 6144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-08-15 17:42 -------- d-------- C:\Program Files\Windows Media Player
2006-08-09 02:19 1069 --a------ C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\AdobeDLM.log
2006-08-08 22:51 0 --a--c--- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\dm.ini
2006-08-08 21:41 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-08-07 23:05 0 -rahs---- C:\MSDOS.SYS
2006-08-07 23:05 0 -rahs---- C:\IO.SYS
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-28 09:30 62744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-07-28 09:30 236824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 22:05 109568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-26 22:05 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AdaptecDirectCD"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,40,01,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-15 11:29:23.48
C:\ComboFix.txt ... 06-10-15 11:29

[Rawe]

Looks like you've got a rootkit there. We'll run three different rootkit scanners to make sure we get them all. Make sure you only by the instructions, don't delete/disinfect anything before checking the logs first.

Please download AVG Anti-Rootkit to your desktop.

• Double-click the installation file
• Just click Next, let it go with default settings.
• Once the installation is ready, reboot.
• Run AVG Anti-Rootkit Beta.exe.
• Click Search for rootkits.
• When finished, click Save result to file.
• Post back with the results. (Not sure where they are located, either in C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta\ folder or on your desktop.)

-------

Download GMER:

• Unzip it and double-click GMER.exe
• Click the rootkit-tab and click scan.
• Once done, click Copy.
• This will copy the results to clipboard.
• Paste the results in your next reply along with the others requested.

-----

Finally run this scan....

Please download and save Blacklight to your desktop:

• Double-click blbeta.exe.
• Accept the agreement.
• Click Scan.
• Click Next.

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there. Post this along with the AVG and Gmer logs. Do NOT delete anything without me checking first

[Bravura]

Done and done.

C:\WINDOWS\system32:lzx32.sys Hidden driver file

As for GMER, my computer reset half way through the scan, bringing me to a screen saying "Windows has detected an error and must reset" or something along those lines, I tried it again in Safe Mode but the same thing happened, however by just starting up the program I get this log:

[As I was typeing this message for the first time (This being the second), my PC reset and now the log looks different (There used to be a line like the one in the AVG scan)]

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-16 20:31:50
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwEnumerateKey
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwEnumerateValueKey

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F966F810] ShldDrv.SYS
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F966FBD8] ShldDrv.SYS

---- EOF - GMER 1.0.11 ----

[After my PC reset, I re-ran the AVG and the scan found nothing]

And for Blacklight...

[Bravura]

Hmmm... It seems that my ComboFix log has changed as well...

Kev - 06-10-16 21:02:09.96 Service Pack 2
ComboFix 06.10.14.1 - Running from: "C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-16 to 2006-10-16 ))))))))))))))))))))))))))))))))))


2006-10-14 16:11 57,344 --a------ C:\WINDOWS\system32\pavipc.dll
2006-10-14 14:08 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2006-10-14 14:08 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2006-10-12 19:30 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-10-11 20:02 2 --a------ C:\WINDOWS\system32\wintsvcc.exe
2006-10-09 19:02 92,544 --a------ C:\WINDOWS\system32\drivers\av5flt.sys
2006-10-08 14:36 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-10-05 22:29 1,233 --a------ C:\WINDOWS\system32\ggf6379b.sys
2006-10-01 23:06 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-01 23:06 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-01 23:06 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-17 17:51 91,136 -ra------ C:\WINDOWS\system32\msls2.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-16 21:00 -------- d-------- C:\Program Files\hijackthis
2006-10-16 20:40 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-16 19:18 -------- d-------- C:\Program Files\GRISOFT
2006-10-15 11:27 -------- d-------- C:\Program Files\Common Files
2006-10-15 00:19 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Windows Live Safety Center
2006-10-15 00:13 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-14 21:54 -------- d---s---- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Microsoft
2006-10-14 19:02 -------- d-------- C:\Program Files\Windows Defender
2006-10-14 18:54 -------- d-------- C:\Program Files\Internet Explorer
2006-10-14 18:46 -------- d-------- C:\Program Files\BitComet
2006-10-14 16:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 14:08 -------- d-------- C:\Program Files\Common Files\Panda Software
2006-10-09 19:07 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-09 17:44 -------- d-------- C:\Program Files\QuickTime
2006-10-09 17:44 -------- d-------- C:\Program Files\iTunes
2006-10-09 16:21 -------- d-------- C:\Program Files\Outlook Express
2006-10-05 23:14 -------- d-------- C:\Program Files\FFDShow
2006-09-17 18:05 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-25 21:33 -------- d-------- C:\Program Files\Intel
2006-08-25 20:44 -------- d-------- C:\Program Files\Dell
2006-08-25 20:08 -------- d-------- C:\Program Files\Analog Devices
2006-08-25 02:05 -------- d-------- C:\Program Files\Movie Maker
2006-08-24 19:43 -------- d-------- C:\Program Files\Valve
2006-08-21 22:29 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Media Player Classic
2006-08-21 18:41 -------- d-------- C:\Program Files\Java
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 19:18 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\AdobeUM
2006-08-16 12:00 6144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-08-09 02:19 1069 --a------ C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\AdobeDLM.log
2006-08-08 22:51 0 --a--c--- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\dm.ini
2006-08-08 21:41 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-08-07 23:05 0 -rahs---- C:\MSDOS.SYS
2006-08-07 23:05 0 -rahs---- C:\IO.SYS
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-28 09:30 62744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-07-28 09:30 236824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 22:05 109568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-26 22:05 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AdaptecDirectCD"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-16 21:03:08.98
C:\ComboFix.txt ... 06-10-16 21:03

[Rawe]

Please download NTrights.zip by freeatlast on your desktop.
If you can't access it, download it HERE.

• Save it on your desktop.
• Unzip/extract it. (Instructions if necessary: http://metallica.geekstogo.com/xpcom...planation.html)
• Open the NTrights-folder.
• Double-click on the Debug.bat to run it, follow any prompts it asks.
• Reboot.
• Double-click the Debug.bat again after reboot.

It will create a log.

If the log says:
"Granting SeDebugPrivilege to Administrators ... successful", things should be ok with that issue...

------

Now, please navigate to and delete the following files if present:

C:\WINDOWS\system32\wintsvcc.exe
C:\WINDOWS\system32\ggf6379b.sys

(If you can't find them, make sure you can see hidden files, if you cant delete them, boot into Safe Mode and try again. Make sure you rehide hidden files)

Empty recycle bin.

-----

After that...

Please rerun BlackLight and see if it still gives the error, if not, please post the scanlog here along with a fresh HijackThis log and let me know hows the system running now

[Bravura]

Please download NTrights.zip by freeatlast on your desktop.
If you can't access it, download it HERE.

* Save it on your desktop.
* Unzip/extract it. (Instructions if necessary: http://metallica.geekstogo.com/xpcom...planation.html)
* Open the NTrights-folder.
* Double-click on the Debug.bat to run it, follow any prompts it asks.
* Reboot.
* Double-click the Debug.bat again after reboot.


It will create a log.

If the log says:
"Granting SeDebugPrivilege to Administrators ... successful", things should be ok with that issue...

File is corrupted/empty.

Deleted the other stuff though.

[Rawe]

Hows your system running at the moment?

Its starting to look good. Any issues? Is Windows Firewall still disabled? What about Windows Update -- any issues with that?

Lets run another scanner instead of BlackLight.

Please run the F-Secure Online Scanner

Note: This scanner is for Internet Explorer only!

• Follow the instructions here for installation.
• Accept the License Agreement.
• Once the ActiveX installs, click Full System Scan
• Once the download completes, the scan will begin automatically.
• The scan will take some time to finish, so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and copy & paste the entire report in your next reply.

[Bravura]

Sorry for the late reply, hadnt gotten a chance to get on the computer.

Firewall is working great, thanks. However, Windows Update still keeps failing.

So anyway here is my F-Secure log. (It says it just renamed/submitted them, so are they still there? should I be concered? )

Scanning Report
Friday, October 20, 2006 19:21:27 - 20:58:17

Computer name: KEVIN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 10 malware found
IM-Worm.Win32.VB.aq (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP515\A0061336.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP513\A0050268.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP513\A0050273.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP512\A0047141.EXE (Renamed & Submitted)

Trojan-Clicker.Win32.Costrat.k (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP512\A0047157.EXE (Renamed & Submitted)

Trojan-Downloader.MSIL.Agent.c (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP532\A0074117.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP532\A0074118.EXE (Renamed & Submitted)

W32/Malware (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP593\A0097480.EXE (Submitted)

W32/NetworkWorm (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP529\A0074023.EXE (Submitted)

W32/Smalldoor.GRU (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5FE4D57-BA26-4806-BDB7-848D4BEF7075}\RP482\A0041536.DLL (Submitted)

Statistics
Scanned:

* Files: 35279
* System: 4137
* Not scanned: 2

Actions:

* Disinfected: 0
* Renamed: 7
* Deleted: 0
* None: 3
* Submitted: 10

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-10-20
* F-Secure Libra: 2.4.1, 2006-10-20
* F-Secure Orion: 1.2.37, 2006-10-20
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Draco: 1.0.35, 0259-24-212
* F-Secure Pegasus: 1.19.0, 2006-08-29

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.