YIKES, Please help!

C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\xxwxv.dll
C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.bak1

Beginning removal...

Attempting to delete C:\WINNT\system32\xxwxv.dll
C:\WINNT\system32\xxwxv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.ini Has been deleted!

Attempting to delete C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\vxwxx.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 08:07:42 PM 12/03/2006

Listing files found while scanning....

vundo had an error code pop up.... I rebooted and ran it again and it found nothing
 
Logfile of HijackThis v1.99.1
Scan saved at 08:24:08 PM, on 12/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system\winlogon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\dxvwgagn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINNT\system32\ZoneLabs\UpdClient.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B2709554-FDAC-48BC-A321-11E5D42AD903} - C:\WINNT\system32\xxwxv.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\cxmwyqru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Explorer 2238] C:\WINNT\system32\dxvwgagn.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A9335EF-D408-4405-9E81-7CF61F390B4A}: NameServer = 205.171.3.65 205.171.2.65
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINNT\system32\dxvwgagn.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe

I tried to download Blacklight but can not find the page. I even went to f-secure.com and that page won't come up. I installed zone alarm, as you can probably see now, I am now getting a couple of things trying to connect to the internet : wkufind.exe and dxvwgagn.exe also 2 suspicious files in the windows folder if1 and if2.

I really need two get this machine up and running. the internet connection works fine now and I was able to download the firewall directly instead of burning a disk on someones computer. I will try and stay up tonight and watch for your post so I can log thesecure blacklight to you.

Thanks again for the help!:D:
 
Hi again, we'll continue :)

Sorry for the long delay...I see that you have ZoneAlram running. Those two files that you mentioned, don't allow those to acces the internet, they're BAD. Don't allow any suspicious file to connect to the internet. Please try this direct link for Blacklight -> Here

Let's get you cleaned :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

==================

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

_zsk_zlu_zlope05ovpiecwleutelf_k.exe
dxvwgagn.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {B2709554-FDAC-48BC-A321-11E5D42AD903} - C:\WINNT\system32\xxwxv.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\cxmwyqru.dll
O4 - HKLM\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINNT\system32\dxvwgagn.exe
O4 - HKLM\..\RunServices: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O4 - HKCU\..\Run: [_zlu_zlope05] c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINNT\system32\dxvwgagn.exe

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\system32\cxmwyqru.dll
c:\winnt\system32\_zsk_zlu_zlope05ovpiecwleutelf_k.exe
C:\WINNT\system32\dxvwgagn.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
Click to expand...
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- Run a scan with GMER, post the log
- Run a scan with Blackligt, post the log
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
 
Last edited:
blacklight log

12/04/06 10:06:23 [Info]: BlackLight Engine 1.0.47 initialized
12/04/06 10:06:23 [Info]: OS: 5.0 build 2195 (Service Pack 4)
12/04/06 10:06:25 [Note]: 7019 4
12/04/06 10:06:25 [Note]: 7005 0
12/04/06 10:06:32 [Note]: 7006 0
12/04/06 10:06:32 [Note]: 7011 1292
12/04/06 10:06:33 [Note]: 7026 0
12/04/06 10:06:33 [Note]: 7026 0
12/04/06 10:06:48 [Note]: FSRAW library version 1.7.1020
12/04/06 10:06:48 [Note]: 2000 1012
12/04/06 10:13:19 [Note]: 2000 1012
12/04/06 10:13:19 [Note]: 2000 1012
12/04/06 10:18:20 [Note]: 7007 0


Do you want a gmer log now?
 
avg antivirus

Mrjak3, I assumed that you wanted avg to run in safe mode. It is running now, but I can only guess that all of the boxes were checked as they are off of the screen in safe mode.
 
avg reportand HJT

VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 01:17:23 PM 12/04/2006

+ Scan result:



C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/wlmsngr.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINDOWS\if1.exe -> Downloader.Harnig.dk : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/MZU_DRV.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.bk : Cleaned with backup (quarantined).


::Report end
Logfile of HijackThis v1.99.1
Scan saved at 01:43:58 PM, on 12/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A9335EF-D408-4405-9E81-7CF61F390B4A}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
 
gmer log

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-12-04 13:57:34
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT IPVNMon.sys ZwDeviceIoControlFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:\WINNT\Explorer.EXE[940] WS2_32.DLL!send 75031BCC 5 Bytes JMP 11C08220 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
.text C:\WINNT\Explorer.EXE[940] WS2_32.DLL!connect 7503C1B9 5 Bytes JMP 11C08080 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1780] WS2_32.DLL!send 75031BCC 5 Bytes JMP 11C08220 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1780] WS2_32.DLL!connect 7503C1B9 5 Bytes JMP 11C08080 C:\Program Files\Network Associates\VirusScan\Wbhook32.dll

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B9B462A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [ED55085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B9B462A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----
 
blacklight nothing and sdfix

12/04/06 13:59:32 [Info]: BlackLight Engine 1.0.47 initialized
12/04/06 13:59:32 [Info]: OS: 5.0 build 2195 (Service Pack 4)
12/04/06 13:59:32 [Note]: 7019 4
12/04/06 13:59:32 [Note]: 7005 0
12/04/06 13:59:41 [Note]: 7006 0
12/04/06 13:59:41 [Note]: 7011 940
12/04/06 13:59:42 [Note]: 7026 0
12/04/06 13:59:43 [Note]: 7026 0
12/04/06 13:59:55 [Note]: FSRAW library version 1.7.1020
12/04/06 13:59:55 [Note]: 2000 1012
12/04/06 14:06:30 [Note]: 2000 1012
12/04/06 14:06:30 [Note]: 2000 1012
12/04/06 14:09:23 [Note]: 7007 0



SDFix: Version 1.44
********************

Mon 12/04/2006 - 12:01:19.41

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Stage One - Safe Mode
Checking Services...

Service Name:

MZU_RK
WINLOGON

File Path:

\??\C:\WINNT\system32\MZU_DRV.sys
"C:\WINNT\system\winlogon.exe"

MZU_RK Service Deleted...
WINLOGON Service Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINNT\system32\i

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------

Backups Folder: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINNT\MsCae32.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ffvvrwch.exe
C:\WINNT\IdleProc.exe
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2947.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2.tmp
C:\Program Files\InterActual\InterActual Player\itiE.tmp
C:\WINNT\Temp\$_2341235.TMP

FINISHED!

I will run avg anti spy again in normal mode to see if it finds anything and post that report.

Thanks again
 
avg antspyware

I tried to run antispyware after posting all of the logs. I was suspicious that all of the boxes were ticked in safe mode as they were off of the edge of the screen. the first time a ran it in regular mode, I got a blue screen:

Stop:0x00000C2(0x00000007,0x00000B8A,0x842DC680,0x842DC688
BAD_POOL_CALLER
Beginning dump of physical memory, physical memory dump complete

2nd scan was better no blue screen log is


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 03:01:26 PM 12/04/2006

+ Scan result:



C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/wlmsngr.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/MZU_DRV.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\SDFix\backups1\backups.zip/backups/msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).


::Report end


Thanks for your help with this mess

Nacra
 
OK we're getting progress :)

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Go to virustotal.com
Click on the Browse button
Browse to the following file: C:\WINNT\MsCae32.dll
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Go to virustotal.com
Click on the Browse button
Browse to the following file: C:\WINNT\IdleProc.exe
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Then, please do the following...

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

:bigthumb:
 
No C:\WINNT\MsCae32.dll or IdleProc.exe

I coud not find them in the Brrowse function and the ran a search and came up with nothing
 
HJT startup list

StartupList report, 12/05/2006, 12:47:03 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Hotkey = C:\WINNT\System32\hkeyman.exe
ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Synchronization Manager = mobsync.exe /logon
PRPCMonitor = PRPCUI.exe
RealTray = C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
LoadQM = loadqm.exe
hpfsched = C:\WINNT\hpfsched.exe
HP Software Update = "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
WUSB11B.exe = C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
Afaria Client File Differencing = C:\Program Files\AClient\Bin\XCDiffCache.exe
WSPPurge = C:\Program Files\Aflac\Common\WSPPurge.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AOL Instant Messenger (TM) = C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1077223641.job
HP DArC Task #Hewlett-Packard#hp psc 2100 series#1136083739.job
Low Battery Alarm Program.job

--------------------------------------------------

Enumerating Download Program Files:

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yahoo.com/dl/installs/yab_af.cab

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\temp\netfx.msi||C:\WINNT\temp\netfx1.cab||C:\WINNT\temp\OLD10.tmp||C:\WINNT\temp\OLD12.tmp||C:\WINNT\temp\OLD14.tmp||C:\WINNT\temp\OLD18.tmp||C:\WINNT\temp\OLD24.tmp||C:\WINNT\temp\OLD3C.tmp||C:\WINNT\temp\OLD3E.tmp||C:\WINNT\temp\OLD40.tmp||C:\WINNT\temp\OLD42.tmp||C:\WINNT\temp\OLD44.tmp||C:\WINNT\temp\OLD46.tmp||C:\WINNT\temp\OLD48.tmp||C:\WINNT\temp\OLD7.tmp||C:\WINNT\temp\OLD9.tmp||C:\WINNT\temp\OLDE.tmp||C:\WINNT\temp\WebPoolFileFile||C:\WINNT\temp\ZLT058b6.TMP||C:\WINNT\temp\ZLT058bc.TMP||C:\Documents and Settings\Administrator\Cookies\index.dat||C:\Documents and Settings\Administrator\cookies\index.dat||C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Default User\cookies\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 8,204 bytes
Report generated in 1.362 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
:bigthumb:
 
Hi :)

You didn't check the two boxes that i asked when you created the startuplist...it is important

Let's try again:

Go to virustotal.com
Copy the following filepath to the box next to the "Select file:" (on the upper side of the page) C:\WINNT\MsCae32.dll
Click Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Go to virustotal.com
Copy the following filepath to the box next to the "Select file:" (on the upper side of the page) C:\WINNT\IdleProc.exe
Click Send
Wait for the scan to end.

Copy & Paste the scan results to here.

=============

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

:bigthumb:
 
HJT startup log

posted this last night and it didn't go through I guess:sad:

StartupList report, 12/05/2006, 12:47:03 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\hkeyman.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Real\Player\realplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Documents and Settings\Administrator\Desktop\hijack this\scanner.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Afaria Client Generic Scheduler.lnk = AClient\Bin\XCGSTask.exe
Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Hotkey = C:\WINNT\System32\hkeyman.exe
ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Synchronization Manager = mobsync.exe /logon
PRPCMonitor = PRPCUI.exe
RealTray = C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
LoadQM = loadqm.exe
hpfsched = C:\WINNT\hpfsched.exe
HP Software Update = "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
WUSB11B.exe = C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
Afaria Client File Differencing = C:\Program Files\AClient\Bin\XCDiffCache.exe
WSPPurge = C:\Program Files\Aflac\Common\WSPPurge.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AOL Instant Messenger (TM) = C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1077223641.job
HP DArC Task #Hewlett-Packard#hp psc 2100 series#1136083739.job
Low Battery Alarm Program.job

--------------------------------------------------

Enumerating Download Program Files:

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yahoo.com/dl/installs/yab_af.cab

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\temp\netfx.msi||C:\WINNT\temp\netfx1.cab||C:\WINNT\temp\OLD10.tmp||C:\WINNT\temp\OLD12.tmp||C:\WINNT\temp\OLD14.tmp||C:\WINNT\temp\OLD18.tmp||C:\WINNT\temp\OLD24.tmp||C:\WINNT\temp\OLD3C.tmp||C:\WINNT\temp\OLD3E.tmp||C:\WINNT\temp\OLD40.tmp||C:\WINNT\temp\OLD42.tmp||C:\WINNT\temp\OLD44.tmp||C:\WINNT\temp\OLD46.tmp||C:\WINNT\temp\OLD48.tmp||C:\WINNT\temp\OLD7.tmp||C:\WINNT\temp\OLD9.tmp||C:\WINNT\temp\OLDE.tmp||C:\WINNT\temp\WebPoolFileFile||C:\WINNT\temp\ZLT058b6.TMP||C:\WINNT\temp\ZLT058bc.TMP||C:\Documents and Settings\Administrator\Cookies\index.dat||C:\Documents and Settings\Administrator\cookies\index.dat||C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Default User\cookies\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 8,204 bytes
Report generated in 1.362 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Ok what about the virustotal ?

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
MsCae

STATUS: FINISHEDComplete scanning result of "MsCae32.dll", received in VirusTotal at 12.05.2006, 18:42:39 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.49 12.05.2006 no virus found
Authentium 4.93.8 12.04.2006 no virus found
Avast 4.7.892.0 12.05.2006 no virus found
AVG 386 12.05.2006 no virus found
BitDefender 7.2 12.05.2006 no virus found
CAT-QuickHeal 8.00 12.05.2006 no virus found
ClamAV devel-20060426 12.05.2006 no virus found
DrWeb 4.33 12.05.2006 no virus found
eSafe 7.0.14.0 12.03.2006 no virus found
eTrust-InoculateIT 23.73.76 12.05.2006 no virus found
eTrust-Vet 30.3.3232 12.05.2006 no virus found
Ewido 4.0 12.05.2006 no virus found
Fortinet 2.82.0.0 12.05.2006 no virus found
F-Prot 3.16f 12.04.2006 no virus found
F-Prot4 4.2.1.29 12.04.2006 no virus found
Ikarus T3.1.0.26 12.05.2006 no virus found
Kaspersky 4.0.2.24 12.05.2006 no virus found
McAfee 4911 12.05.2006 no virus found
Microsoft 1.1804 12.05.2006 no virus found
NOD32v2 1902 12.05.2006 no virus found
Norman 5.80.02 12.05.2006 no virus found
Panda 9.0.0.4 12.05.2006 no virus found
Prevx1 V2 12.05.2006 no virus found
Sophos 4.12.0 12.04.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.129 12.05.2006 no virus found
UNA 1.83 12.04.2006 no virus found
VBA32 3.11.1 12.05.2006 no virus found
VirusBuster 4.3.15:9 12.05.2006 no virus found


Aditional Information
File size: 27648 bytes
MD5: 37b5a2f81cb5cd559f7a9a07179adad2
SHA1: 4e9fde673bf29e25d2a354970be36b9c6058a549
 
IdleProc

Sorry, some of your posts aren't showing up when I switch computers.????I'm watching for your reply on an old one then connecting with problem computer.



STATUS: FINISHEDComplete scanning result of "IdleProc.exe", received in VirusTotal at 12.05.2006, 18:49:16 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.49 12.05.2006 no virus found
Authentium 4.93.8 12.04.2006 no virus found
Avast 4.7.892.0 12.05.2006 no virus found
AVG 386 12.05.2006 no virus found
BitDefender 7.2 12.05.2006 no virus found
CAT-QuickHeal 8.00 12.05.2006 no virus found
ClamAV devel-20060426 12.05.2006 no virus found
DrWeb 4.33 12.05.2006 no virus found
eSafe 7.0.14.0 12.03.2006 no virus found
eTrust-InoculateIT 23.73.76 12.05.2006 no virus found
eTrust-Vet 30.3.3232 12.05.2006 no virus found
Ewido 4.0 12.05.2006 no virus found
Fortinet 2.82.0.0 12.05.2006 no virus found
F-Prot 3.16f 12.04.2006 no virus found
F-Prot4 4.2.1.29 12.04.2006 no virus found
Ikarus T3.1.0.26 12.05.2006 no virus found
Kaspersky 4.0.2.24 12.05.2006 no virus found
McAfee 4911 12.05.2006 no virus found
Microsoft 1.1804 12.05.2006 no virus found
NOD32v2 1902 12.05.2006 no virus found
Norman 5.80.02 12.05.2006 no virus found
Panda 9.0.0.4 12.05.2006 no virus found
Prevx1 V2 12.05.2006 Malicious
Sophos 4.12.0 12.04.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.129 12.05.2006 no virus found
UNA 1.83 12.04.2006 no virus found
VBA32 3.11.1 12.05.2006 no virus found
VirusBuster 4.3.15:9 12.05.2006 no virus found


Aditional Information
File size: 43520 bytes
MD5: ed77549daadce98c2a4039ce108e0a6a
SHA1: ed573da86a3200eab105607e1d18c28c753fb4b9
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e5155739747
 
combofix log

Do you need another HJT startup ?


Administrator - Tue 12/05/2006 11:44:33.85 Service Pack 4
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-04 12:27 <DIR> d-------- C:\!KillBox
2006-12-04 11:59 <DIR> d-------- C:\SDFix
2006-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2006-12-04 11:48 <DIR> d-------- C:\Program Files\WinZip
2006-12-04 11:22 <DIR> d-------- C:\winzip
2006-12-04 10:55 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2006-12-04 10:53 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2006-12-03 19:41 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2006-12-03 19:31 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-03 19:30 <DIR> d-a------ C:\WINNT\Internet Logs
2006-11-30 20:04 80 --a------ C:\WINNT\gmer_uninstall.cmd
2006-11-10 07:35 76,288 --a------ C:\nvrfooqr.exe
2006-11-07 22:31 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-07 21:51 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2006-11-07 19:17 778,656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-11-07 19:17 4,992 --a------ C:\WINNT\system32\drivers\avgtdi.sys
2006-11-07 19:17 4,288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-11-07 19:17 27,904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-11-07 19:17 26,912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-11-07 19:17 23,424 --a------ C:\WINNT\system32\drivers\avgmfrs.sys
2006-11-07 19:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-11-07 19:16 <DIR> d-a------ C:\Program Files\Grisoft
2006-11-07 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\avg7
2006-11-07 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-07 17:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-07 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-06 01:09 122,880 --a------ C:\WINNT\system32\dxvwtdop.exe
2006-11-05 14:36 <DIR> d--h----- C:\WINNT\PIF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-19 17:54 -------- d-------- C:\Program Files\Worksitepro
2006-11-16 13:22 -------- d-ah----- C:\Program Files\WindowsUpdate
2006-11-07 21:28 -------- d-a-s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-05 19:55 60416 --a------ C:\guxpw.exe
2006-11-05 19:35 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2006-11-05 14:10 51660 --a------ C:\hcjvnlu.exe
2006-11-04 21:16 -------- d-------- C:\Program Files\Messenger
2006-10-30 01:00 51725 --a------ C:\WINNT\system32\rm2.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AOL Instant Messenger (TM)"="C:\\Program Files\\Netscape\\Communicator\\Program\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Hotkey"="C:\\WINNT\\System32\\hkeyman.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Synchronization Manager"="mobsync.exe /logon"
"PRPCMonitor"="PRPCUI.exe"
"RealTray"="C:\\Real\\Player\\realplay.exe SYSTEMBOOTHIDEPLAYER"
"LoadQM"="loadqm.exe"
"hpfsched"="C:\\WINNT\\hpfsched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"IPInSightLAN 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"
"IPInSightMonitor 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"WUSB11B.exe"="C:\\Program Files\\WUSB11 WLAN Monitor\\WUSB11B.exe"
"Afaria Client File Differencing"="C:\\Program Files\\AClient\\Bin\\XCDiffCache.exe"
"WSPPurge"="C:\\Program Files\\Aflac\\Common\\WSPPurge.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"_NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1077223641.job
C:\WINNT\tasks\HP DArC Task #Hewlett-Packard#hp psc 2100 series#1136083739.job
C:\WINNT\tasks\Low Battery Alarm Program.job

Completion time: Tue 2006-12-05 11:45:30.23
C:\ComboFix.txt ... 06-12-05 11:45
 
Ok it is beginning to look good from here :D:
How is the computer running ?

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\nvrfooqr.exe
C:\WINNT\system32\dxvwtdop.exe
C:\guxpw.exe
C:\hcjvnlu.exe
C:\WINNT\system32\rm2.exe
Click to expand...
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Now you can clean AVG's Quarantine:
  • Open AVG Anti-Spyware
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
You can remove the tools we used.

Now you can make your hidden files hidden again.
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Check "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
You have two (2) antiviruses installed and running, AVG Antivirus and McAfee. Running more that one antivirus at the same time may cause all kinds of problems and is NOT recommended.
You should leave only one (1) antivirus running. You should uninstall/disable either AVG Antivirus or McAfee. When you have decided, you can uninstall your choice through Control Panel, Add/Remove Programs..

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use CCleaner
    Download and install CCleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use Ewido
    Download and install Ewido. Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?
 
question

I tried twice to control c a nd paste the files but ONLY C:\nvfooqr.exe shows in the killbox window is this correct???
 
You must log in or register to reply here.
Back
Top