Multiple Malware; now have HiJackThis log

No, combofix wasn't needed.

Sure, connect it to internet and test a bit and report back :)
 
Hmm, when I tried to connect back to the internet using either wired or wireless connections, I get the error meesage "An operation was attempted on something that is not a socket" when trying to renew the IP address.

Were my Windows sockets registry subkeys corrupted somewhere in the infection/disinfection process? Should I reinstall TCP/IP per the following instructions, or is the problem much deeper than that?

http://support.microsoft.com/kb/817571

Thanks,
rg.
 
Should not be unless malware has borked them.

Try to follow those instructions first, yes.
 
I followed those instructions, and now the wired and wireless internet connections work. I will "play around" with the web to see if anything acts funny.

I'm trying to install Spybot to scan the machine, and I get an error message during the installation process:
Error creating registry key:
HKEY_CLASSES_ROOT\.sbs

RegCreateKeyEx failed; code 5.
Access is denied.

Click Retry to try again, Ignore to proceed anyway, or Abort to cancel installation.
Click to expand...
Clicking retry gives the same message.

Any idea what that is?

Thanks,
rg.
 
Then I suggest that you post about it here as it seems to be spybot specific issue.

Any malware issues left?
 
This computer has a D drive that also has WinXP installed. I rarely boot from he D drive, but I'm concerned that something may have been "cross infected." When booting from the D drive, things seem ok, but the Symantec Antivirus AutoProtect won't stay enabled. When I click enable, it disables again a second later. Would you be willing to look at the HJT log from a D drive boot:

----Start D-drive HJT Log----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:38 PM, on 8/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Ad Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Apps\Internet\Personal Communications\PCS_AGNT.EXE
C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\IMWEBSTA.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbank.uk.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;9.*;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApps%5CInternet%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Apps\Internet\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\adobe\acrobat 5.1\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Apps\Internet\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [hpppta] C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot Search & Destroy\TeaTimer.exe
O4 - Startup: Mouse.lnk = C:\WINDOWS\System32\main.cpl
O8 - Extra context menu item: &Download with &DAP - C:\Apps\Internet\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Apps\Internet\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Apps\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Apps\Internet\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST20H3 - http://www-125.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST31 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - http://autosupport.intuit.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://extranet.lotus.com/qp2.cab
O16 - DPF: {0B9C9C7D-ED81-4594-AFCB-FC5588125382} (JNILoader Control) - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28177.cab
O16 - DPF: {2B9D3FB5-44D9-4063-A0E4-AF3F3CB15555} (JNILoader Control) - https://d02db541.southbury.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {4E7D53BD-B8CF-426E-9D84-7A931C9CFC11} (ibmgpws.plugin) - http://w3-3.ibm.com/tools/print/plugin/ibmgpws.CAB
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28177.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://www.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300B272-3776-48D3-9A33-D4019924AB9E}: Domain = itso.ral.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ED1B95-34FC-407F-9B85-07FD942A7C54}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFF7018B-9207-4862-A8F7-64F15EBE2F48}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad PM (TpChrSrv) - Unknown owner - C:\WINDOWS\System32\TpChrSrv.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe

--
End of file - 12452 bytes
----End D-drive HJT Log----
 
Could be malware issue or just you need to re-install it.

To eliminate first issue:

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
 
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-21 00:03:53
Windows 5.1.2600 Service Pack 1


---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbhub \Device\000000c8 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000c9 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000ca hcmon.sys (VMware USB monitor/VMware, Inc.)

---- Threads - GMER 1.0.14 ----

Thread 4:680 F1297C44

---- EOF - GMER 1.0.14 ----
 
Yes that is clean.

I recommend that you uninstall and re-install Symantec and let me know if that helped.
 
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top