Big-time PC Issues

GMER results:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-18 09:58:19
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BCB5B880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BCB5B880] vsdatant.sys

---- EOF - GMER 1.0.12 ----

NOTE: I still have the VS Add in under Add/Remove Programs. How do I get rid of that? When I try add/remove nothing happens...
 
Ok it is beginning to look good :)

For the Ati leftover:

Disable the bad service
  • Start
  • Run
  • Type services.msc to the field and press enter.
  • A window opens, scroll down to Ati HotKey Poller
  • Rightclick it and choose Stop
  • Then choose Properties
  • Set Startup to Disabled
  • Click Apply and OK.

Then, open HijackThis.
  • Open the Misc Tools section
  • Delete an NT service
  • Copy the following line to the box and press OK; Ati HotKey Poller
  • Answer Yes
  • Close HIjackThis

Then the VS-Add in leftover...

Open HijackThis.
  • Open the Misc Tools section
  • Open Uninstall Manager
  • Scroll down to the following entry and select it with your mouse; Vs-add in
  • Delete this entry
  • Answer Yes
  • Close HIjackThis

Let me know how things are running :bigthumb:
 
Thanks. I will try that. REason for this post: I ran another HiJack This scan and saw that my old nemesis rtvcscan is back again! The last scan looked clean after running SDFix. But less than 24 hrs later it returned. What could be the cause of this? Like you said, I've got that firewall on, I get many popups from ZoneAlarm indicating that access to my pc was blocked.
 
That worked. I do not see the VSAdd-in under Add/Remove Programs anymore. Computer is running pretty good. My only concern now is the rtvcscan that keeps reappearing. I manually delete from HiJack This when I do a scan but it comes back every day.
 
I'm sorry for the huge delay, I've been very busy the last two days...

Ok that rtvcscan is very bad....we'll do some more research....


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
No worries. Ok, downloaded this to desktop and several icons appeared on desktop. I opened the ComboFix and got a window that said 'Cannot find the file specified'. I uninstalled and went to reinstall and got a 'not enough free disk space' so I'm cleaning up my C:/, which could take a ton of time. Very sloooowly happening. I'll keep you posted on my progress.

I did notice something strange that I didn't see before ComboFix. My clock is in military time and when I scroll over time my date is in 07-03-21 format and not in March 21, 2007. Strange!
 
Hello :)

Were you able to run ComboFix?
You may move the ComboFix.exe in the root of C-Drive if it doesn't want to run (C:\ComboFix.exe). Post the log to here when ready.

Hmm I haven't noticed ComboFix changing the clock output...
 
Sorry for the delay. Thanks for the suggestion. I saved ComboFix at the root of C:/.

Here's the logfile. And there's rtvcscan.exe. I saw this process running in Task Manager and stopped it. But every time I run the HJT scan I see it returning. There is also an rtvscan.exe but that one, I understand, is legitimate.

Let me know what's next when you have a minute!

"administrator" - Sat 03/24/2007 12:23:02 Service Pack 4
ComboFix 07-03-23 - Running from: "C:\"

((((((((((((((((((((((((((((((( Files Created from 2007-02-24 to 2007-03-24 ))))))))))))))))))))))))))))))))))


2007-03-24 11:58 1,112,630 --a--c--- C:\ComboFix.exe
2007-03-23 16:04 <DIR> d-------- C:\Program Files\Verizon
2007-03-18 13:27 602,112 -r-hs---- C:\WINNT\system32\rtvcscan.exe
2007-03-07 19:13 <DIR> d-------- C:\Program Files\iPod
2007-03-07 18:27 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-06 23:02 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-06 21:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-03-05 19:32 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-03-04 20:36 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-03-04 09:50 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-03-04 09:48 75,512 --a------ C:\WINNT\zllsputility.exe
2007-03-04 09:47 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-03-04 09:34 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-03-04 09:33 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2007-03-04 09:30 <DIR> d-a------ C:\WINNT\Internet Logs
2007-02-27 08:11 35,328 --a------ C:\WINNT\system32\drivers\marjle.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-24 12:20 -------- d-------- C:\Program Files\symantec antivirus
2007-03-07 18:23 754 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\adobedlm.log
2007-03-07 17:28 902 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\dm.ini
2007-02-18 13:41 -------- d-------- C:\Program Files\google
2007-01-22 09:05 103550 --a------ C:\mix0x.exe
2007-01-11 13:27 1482752 --a------ C:\s1st1fu.exe
2007-01-09 20:01 1190400 --a------ C:\stfu.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft"="rtvcscan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NGClient"="C:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"D:\\Program Files\\qttask.exe\" -atboottime"
"iTunesHelper"="\"D:\\Program Files\\iTunes 7\\iTunesHelper.exe\""
"Microsoft"="rtvcscan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft"="rtvcscan.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@="ifconfig.exe"
"Microsoft"="rtvcscan.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ERASERUTILDRV10710
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RASAUTO


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Sat 2007-03-24 12:29:26
 
Hi again :)

Ok I can see the buggers now. Let's see what these really are:

Go to virustotal.com
Copy the following to the box next to "Browse" button:
C:\WINNT\system32\drivers\marjle.sys
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Do the same for these and post the results to here

C:\mix0x.exe
C:\s1st1fu.exe
C:\stfu.exe

:bigthumb:
 
STATUS: FINISHEDComplete scanning result of "marjle.sys", received in VirusTotal at 03.25.2007, 16:11:26 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.24.1 03.24.2007 no virus found
AntiVir 7.3.1.44 03.25.2007 no virus found
Authentium 4.93.8 03.24.2007 no virus found
Avast 4.7.936.0 03.23.2007 no virus found
AVG 7.5.0.447 03.25.2007 no virus found
BitDefender 7.2 03.25.2007 no virus found
CAT-QuickHeal 9.00 03.23.2007 no virus found
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3506 03.23.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 no virus found
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.24.2007 no virus found
Ikarus T3.1.1.3 03.25.2007 no virus found
Kaspersky 4.0.2.24 03.25.2007 no virus found
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 VirTool:WinNT/Protmin.gen!B
NOD32v2 2144 03.25.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.24.2007 no virus found
Prevx1

STATUS: FINISHEDComplete scanning result of "mix0x.exe", received in VirusTotal at 03.25.2007, 16:19:03 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.24.1 03.24.2007 no virus found
AntiVir 7.3.1.44 03.25.2007 TR/Crypt.XPACK.Gen
Authentium 4.93.8 03.24.2007 no virus found
Avast 4.7.936.0 03.23.2007 Win32:SpyBot-A334
AVG 7.5.0.447 03.25.2007 no virus found
BitDefender 7.2 03.25.2007 no virus found
CAT-QuickHeal 9.00 03.23.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 no virus found
eSafe 7.0.14.0 03.22.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3506 03.23.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 suspicious
F-Prot 4.3.1.45 03.23.2007 W32/Ircbot1.gen
F-Secure 6.70.13030.0 03.24.2007 Backdoor.Win32.Rbot.gen
Ikarus T3.1.1.3 03.25.2007 no virus found
Kaspersky 4.0.2.24 03.25.2007 Backdoor.Win32.Rbot.gen
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 Backdoor:Win32/Rbot.gen
NOD32v2 2144 03.25.2007 a variant of Win32/Rbot
Norman 5.80.02 03.23.2007 W32/Spybot.BIHK
Panda 9.0.0.4 03.24.2007 Suspicious file
Prevx1 V2 03.25.2007 no virus found
Sophos 4.15.0 03.23.2007 W32/Rbot-GHN
Sunbelt 2.2.907.0 03.24.2007 VIPRE.Suspicious
Symantec 10 03.25.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83

Kaspersky 4.0.2.24 03.25.2007 Backdoor.Win32.Rbot.gen ???
 
STATUS: FINISHEDComplete scanning result of "s1st1fu.exe", received in VirusTotal at 03.25.2007, 16:29:09 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.24.1 03.24.2007 no virus found
AntiVir 7.3.1.44 03.25.2007 no virus found
Authentium 4.93.8 03.24.2007 no virus found
Avast 4.7.936.0 03.23.2007 no virus found
AVG 7.5.0.447 03.25.2007 no virus found
BitDefender 7.2 03.25.2007 no virus found
CAT-QuickHeal 9.00 03.23.2007 no virus found
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3506 03.23.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 no virus found
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.24.2007 no virus found
Ikarus T3.1.1.3 03.25.2007 no virus found
Kaspersky 4.0.2.24 03.25.2007 no virus found
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 no virus found
NOD32v2 2144 03.25.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.24.2007 Suspicious file
Prevx1 V2 03.25.2007 no virus found
Sophos 4.15.0 03.23.2007 no virus found
Sunbelt 2.2.907.0 03.24.2007 no virus found
Symantec 10 03.25.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.24.2007 no virus found
VirusBuster 4.3.7:9 03.25.2007 no virus found
Webwasher-Gateway 6.0.1 03.25.2007 Win32.Malware.gen (suspicious)


STATUS: FINISHEDComplete scanning result of "stfu.exe", received in VirusTotal at 03.25.2007, 16:35:46 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.24.1 03.24.2007 no virus found
AntiVir 7.3.1.44 03.25.2007 TR/Agent.1190400
Authentium 4.93.8 03.24.2007 no virus found
Avast 4.7.936.0 03.23.2007 no virus found
AVG 7.5.0.447 03.25.2007 no virus found
BitDefender 7.2 03.25.2007 DeepScan:Generic.Malware.G!I!!FLMWX!!Bg.58283A94
CAT-QuickHeal 9.00 03.23.2007 no virus found
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3506 03.23.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 suspicious
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.24.2007 no virus found
Ikarus T3.1.1.3 03.25.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 03.25.2007 no virus found
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 no virus found
NOD32v2 2144 03.25.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.24.2007 no virus found
Prevx1 V2 03.25.2007 Covert.Sys.Exec
Sophos 4.15.0 03.23.2007 no virus found
Sunbelt 2.2.907.0 03.24.2007 VIPRE.Suspicious
Symantec 10 03.25.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.24.2007 no virus found
VirusBuster 4.3.7:9 03.25.2007 no virus found
Webwasher-Gateway 6.0.1 03.25.2007 Trojan.Agent.1190400
 
Do you need the additional info, as well? Here is is for stfu and marjle.

Aditional Information on stfu.exe scan:
File size: 1190400 bytes
MD5: 014a162e66c1ebd116c1834ee6bec45f
SHA1: b913ceb9fb4b3e3fec51ceae222fe6bf8471c40b
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=2ba369153975
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Aditional Information on marjle.sys
File size: 35328 bytes
MD5: 54a971826b86e397ac02dbc7bf2cfcc2
SHA1: 04edab2b0ad045e2d0d6b64df1a8d3b695cb9e6d
 
Do you need the 'additional info', as well? Here it is for stfu and marjle.

Aditional Information on stfu.exe scan:
File size: 1190400 bytes
MD5: 014a162e66c1ebd116c1834ee6bec45f
SHA1: b913ceb9fb4b3e3fec51ceae222fe6bf8471c40b
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=2ba369153975
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Aditional Information on marjle.sys
File size: 35328 bytes
MD5: 54a971826b86e397ac02dbc7bf2cfcc2
SHA1: 04edab2b0ad045e2d0d6b64df1a8d3b695cb9e6d
 
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

rtvcscan.exe


Backup your registry:
  • Start
  • Run
  • Type the following to the box and hit Ok: regedit
  • A window opens, click on File
  • Choose Export form the menu
  • Change the save location to C:\
  • Give the filename, RegBackUp
  • Make sure that the filetype is set to Registryfiles (*.reg)
  • Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft"=-


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=-
"Microsoft"=-
Click to expand...
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    Code: 
    C:\WINNT\system32\rtvcscan.exe
C:\WINNT\system32\drivers\marjle.sys
C:\mix0x.exe
C:\s1st1fu.exe
C:\stfu.exe
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Restart the computer. Run ComboFix again and post the log to here.
 
ComboFix log:

"administrator" - Sun 03/25/2007 21:43:23 Service Pack 4
ComboFix 07-03-23 - Running from: "C:\"

((((((((((((((((((((((((((((((( Files Created from 2007-02-25 to 2007-03-25 ))))))))))))))))))))))))))))))))))


2007-03-25 21:23 40,803,056 --a--c--- C:\RegBackUp.reg
2007-03-24 11:58 1,112,630 --a--c--- C:\ComboFix.exe
2007-03-23 16:04 <DIR> d-------- C:\Program Files\Verizon
2007-03-07 19:13 <DIR> d-------- C:\Program Files\iPod
2007-03-07 18:27 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-06 23:02 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-06 21:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-03-05 19:32 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-03-04 20:36 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-03-04 09:50 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-03-04 09:48 75,512 --a------ C:\WINNT\zllsputility.exe
2007-03-04 09:47 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-03-04 09:34 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-03-04 09:33 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2007-03-04 09:30 <DIR> d-a------ C:\WINNT\Internet Logs


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-25 21:39 -------- d-------- C:\Program Files\symantec antivirus
2007-03-07 18:23 754 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\adobedlm.log
2007-03-07 17:28 902 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\dm.ini
2007-02-18 13:41 -------- d-------- C:\Program Files\google


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NGClient"="C:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"D:\\Program Files\\qttask.exe\" -atboottime"
"iTunesHelper"="\"D:\\Program Files\\iTunes 7\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ERASERUTILDRV10710


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Sun 2007-03-25 21:48:19
C:\ComboFix2.txt ... 07-03-24 12:29
 
Hey! I think we're all good. My HJT log (unless I'm missing something looks clean). I can't tell you how excited I am. This is awesome! You rock!

Logfile of HijackThis v1.99.1
Scan saved at 9:48:39 PM, on 3/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\qttask.exe
D:\Program Files\iTunes 7\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\iTunes 7\iTunes.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes 7\iTunesHelper.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.sungard.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleOra9ias_homeClientCache - Unknown owner - C:\ora9ias\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
 
Hi again, it is looking clean now :)

Now you can clean AVG's Quarantine:
  • Open AVG Anti-Spyware
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
You can remove the tools we used.
You can delete the folder, C:\_OtMoveIT

Now you can make your hidden files hidden again.
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Check "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

Stay clean and be safe ;)
 
You must log in or register to reply here.
Back
Top