Antivirus XP 2008 causinf problems. Please help.

Status
Not open for further replies.
Hi,

It appears that there is no Rootkit installed. The bad entries we are trying to remove are missing the files so this should be easy to remove. Remove these with HJT in Safemode.

O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
Click to expand...


Post a new log please
 
Hi,
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing) was not on the list. Every other file was removed.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:43 PM, on 8/27/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)

--
End of file - 4810 bytes
 
There still there.

This is what we have to do, drag your copy of Combofix to the trash, this program is updated on a regular basis and download a fresh copy.

Download Combofix from any of the links below, and save it to your desktop. <-- Important
Link 1
Link 2
Link 3


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::

Code: 
Driver::
dxdmain
mcsecure
netinfo
RpcClient
Rpcmon
SCardClnt
Zonelaps

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Last edited:
Here's the ComboFix report:

ComboFix 08-08-28.02 - Lee 08/28/2008 11:44:44.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.133 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\vsdatant.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DXDMAIN
-------\Legacy_MCSECURE
-------\Legacy_NETINFO
-------\Legacy_RPCCLIENT
-------\Legacy_RPCMON
-------\Legacy_SCARDCLNT
-------\Legacy_VSDATANT
-------\Legacy_ZONELAPS
-------\Service_dxdmain
-------\Service_mcsecure
-------\Service_netinfo
-------\Service_RpcClient
-------\Service_Rpcmon
-------\Service_SCardClnt
-------\Service_vsdatant
-------\Service_Zonelaps


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-27 23:22 . 08-08-27 23:22 553,188 ---h----- C:\WINNT\ShellIconCache
2008-08-27 10:46 . 08-08-27 10:46 250 --a------ C:\WINNT\gmer.ini
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 04:21 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-08-26 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_19.37.42.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 17:46:04 884,736 ----a-w C:\WINNT\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w C:\WINNT\gmer.exe
+ 2008-08-26 22:47:16 18,944 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-26 22:47:16 65,024 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-08-27 17:46:04 85,969 ----a-w C:\WINNT\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]

C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Defragmentation Manager]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LSA Server]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sound Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S3 GencTurK RootKit Driver;GencTurK RootKit Driver;C:\system.sys []
S3 msvnc;msvnc;C:\WINNT\system32\msvnc.sys []
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys [99-09-25 00:55 ]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 11:52:25
Windows 5.0.2195 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [144]
??\C:\WINNT\system32\csrss.exe [168]
??\C:\WINNT\system32\winlogon.exe [188]
C:\WINNT\system32\services.exe [216]
C:\WINNT\system32\lsass.exe [228]
C:\WINNT\system32\svchost.exe [388]
C:\WINNT\system32\spoolsv.exe [416]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [444]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [480]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [504]
C:\WINNT\System32\svchost.exe [564]
C:\WINNT\system32\stisvc.exe [596]
C:\WINNT\System32\WBEM\WinMgmt.exe [640]
C:\WINNT\system32\cmd.exe [944]
C:\WINNT\loadqm.exe [888]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [996]
C:\Program Files\QuickTime\qttask.exe [1032]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [1044]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [972]
C:\WINNT\System32\ZoneLabs\vsmon.exe [1100]
C:\WINNT\Explorer.exe [1160]
C:\ComboFix\catchme.cfexe [1108]
.
**************************************************************************
.
Completion time: 2008-08-28 11:57:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 18:57:00
ComboFix2.txt 2008-08-27 02:54:17
ComboFix3.txt 2008-08-26 02:39:11

Pre-Run: 3,500,548,096 bytes free
Post-Run: 3,494,285,312 bytes free

169

and here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:53 PM, on 8/28/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4238 bytes
 
Also, ZoneAlarm says that the TrueVector security service is shut down and it has a message saying "System Error: Please Reboot". Even after i restarted the computer it still displays this message. Can you please tell me if i will have to reinstall ZoneAlarm? Thanks.
 
Fidos,

Where almost home, a few things we need to fix. Hang in a bit for the Zone Alarm issue, we may be able to fix that. Be back shortly
 
Last edited:
OK, this will tidy it up.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::

Code: 
Driver::
msvnc
GencTurK RootKit Driver

Rootkit::
C:\WINNT\system32\msvnc.sys
C:\system.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Lets make sure it took and then we can work on the ZoneAlarm issue
 
Here's the combo Fix report:

ComboFix 08-08-28.02 - Lee 08/28/2008 20:34:27.4 - NTFSx86
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSVNC
-------\Service_GencTurK RootKit Driver
-------\Service_msvnc


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-27 23:22 . 08-08-28 12:10 553,356 ---h----- C:\WINNT\ShellIconCache
2008-08-27 10:46 . 08-08-27 10:46 250 --a------ C:\WINNT\gmer.ini
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 04:21 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-08-26 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_19.37.42.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 17:46:04 884,736 ----a-w C:\WINNT\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w C:\WINNT\gmer.exe
+ 2008-08-26 22:47:16 18,944 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-26 22:47:16 65,024 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-08-27 17:46:04 85,969 ----a-w C:\WINNT\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]

C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Defragmentation Manager]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LSA Server]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sound Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys [99-09-25 00:55 ]
S4 Defragmentation Manager;Managing FAT and NTFS partitions;C:\WINNT\System32\dfrgfat16.exe []
S4 GencTurK RootKit;TurkSpy For RootKit;C:\system.exe []
S4 Keyboard Service;Keyboard Service System Files;C:\WINNT\System32\keyboard.exe []
S4 LSA Server;Local Security Authority Server;C:\WINNT\system32\msupdater.exe []
S4 Sound Service;Sound Sservice Driver ;C:\WINNT\System32\cfmon.exe []
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 20:42:57
Windows 5.0.2195 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [144]
??\C:\WINNT\system32\csrss.exe [168]
??\C:\WINNT\system32\winlogon.exe [188]
C:\WINNT\system32\services.exe [216]
C:\WINNT\system32\lsass.exe [228]
C:\WINNT\system32\svchost.exe [392]
C:\WINNT\system32\spoolsv.exe [420]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [448]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [492]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [516]
C:\WINNT\System32\svchost.exe [576]
C:\WINNT\system32\stisvc.exe [608]
C:\WINNT\System32\WBEM\WinMgmt.exe [652]
C:\WINNT\system32\cmd.exe [268]
C:\WINNT\loadqm.exe [932]
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [792]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [944]
C:\Program Files\QuickTime\qttask.exe [1036]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [980]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [1048]
C:\WINNT\System32\ZoneLabs\vsmon.exe [1172]
C:\WINNT\Explorer.exe [952]
C:\ComboFix\catchme.cfexe [456]
.
**************************************************************************
.
Completion time: 2008-08-28 20:48:25 - machine was rebooted [Lee]
ComboFix-quarantined-files.txt 2008-08-29 03:47:47
ComboFix2.txt 2008-08-28 18:57:40
ComboFix3.txt 2008-08-27 02:54:17
ComboFix4.txt 2008-08-26 02:39:11

Pre-Run: 3,487,080,448 bytes free
Post-Run: 3,480,924,160 bytes free

159

And here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:20 PM, on 8/28/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\System32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4237 bytes
 
Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\system.exe
    Click to expand...
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
Here's the results:

File/Folder C:\system.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08292008_111430
 
We're almost to the end but it appears as we remove items others show up.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::


Code: 
Driver::
Defragmentation Manager
GencTurK RootKit
Keyboard Service
LSA Server
Sound Service

Rootkit::
C:\WINNT\System32\dfrgfat16.exe
C:\system.exe
C:\WINNT\System32\keyboard.exe
C:\WINNT\system32\msupdater.exe
C:\WINNT\System32\cfmon.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Here's the ComboFix report:

ComboFix 08-08-28.02 - Lee 08/29/2008 12:23:16.5 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.160 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DEFRAGMENTATION_MANAGER
-------\Legacy_GENCTURK_ROOTKIT
-------\Legacy_KEYBOARD_SERVICE
-------\Legacy_LSA_SERVER
-------\Legacy_SOUND_SERVICE
-------\Service_Defragmentation Manager
-------\Service_GencTurK RootKit
-------\Service_Keyboard Service
-------\Service_LSA Server
-------\Service_Sound Service


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 11:14 . 08-08-29 11:14 <DIR> d-------- C:\_OTMoveIt
2008-08-27 23:22 . 08-08-28 12:10 553,356 ---h----- C:\WINNT\ShellIconCache
2008-08-27 10:46 . 08-08-27 10:46 250 --a------ C:\WINNT\gmer.ini
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 04:21 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-08-26 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_19.37.42.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 17:46:04 884,736 ----a-w C:\WINNT\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w C:\WINNT\gmer.exe
+ 2008-08-26 22:47:16 18,944 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-26 22:47:16 65,024 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-08-27 17:46:04 85,969 ----a-w C:\WINNT\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]

C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 12:33:03
Windows 5.0.2195 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [148]
??\C:\WINNT\system32\csrss.exe [168]
??\C:\WINNT\system32\winlogon.exe [160]
C:\WINNT\system32\services.exe [216]
C:\WINNT\system32\lsass.exe [228]
C:\WINNT\system32\svchost.exe [396]
C:\WINNT\system32\spoolsv.exe [420]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [456]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [500]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [532]
C:\WINNT\System32\svchost.exe [560]
C:\WINNT\system32\stisvc.exe [592]
C:\WINNT\System32\WBEM\WinMgmt.exe [636]
C:\WINNT\system32\cmd.exe [932]
C:\WINNT\loadqm.exe [1016]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [1036]
C:\Program Files\QuickTime\qttask.exe [992]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [1052]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [1068]
C:\WINNT\System32\ZoneLabs\vsmon.exe [984]
C:\WINNT\Explorer.exe [1008]
C:\ComboFix\catchme.cfexe [976]
.
**************************************************************************
.
Completion time: 2008-08-29 12:39:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 19:38:41
ComboFix2.txt 2008-08-29 03:48:29
ComboFix3.txt 2008-08-28 18:57:40
ComboFix4.txt 2008-08-27 02:54:17
ComboFix5.txt 2008-08-29 19:22:24

Pre-Run: 3,490,766,848 bytes free
Post-Run: 3,484,639,232 bytes free

154

And here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:06 PM, on 8/29/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\System32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4238 bytes
 
Looking good :bigthumb::bigthumb:

Lets work on the ZoneAlarm issue, not sure if the file is corrupt or infected.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard and Paste it into Notepad

Code: 
@echo off
for %%g in (

C:\Qoobox\Quarantine\C\WINNT\system32\vsdatant.sys.vir

) do zip Files_for_submission %%g
del %0

Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:
bat_icon.gif


Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file here:

http://www.bleepingcomputer.com/subm....php?channel=4


In the Link to topic where this file was requested: area, copy and paste this :


http://forums.spybot.info/showthread.php?t=33062&page=3

Once it shows:


Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

Close the site and let me know.
 
Great, so just hang in until we hear back from sUbs. After all our hard work your system is finally clean :bigthumb:
 
HI, I have a question about the programs I downloaded to clean my computer. Can you tell me which ones are OK for scanning regularly and which ones I shouldn't bee using? Thanks.
 
Status
Not open for further replies.
Back
Top